<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>YesWiki 4.6.5 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/yeswiki-4.6.5/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 09 Jul 2026 21:09:58 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/yeswiki-4.6.5/feed.xml" rel="self" type="application/rss+xml"/><item><title>YesWiki Second-Order SQL Injection via Unescaped Page Tag in API Controller</title><link>https://feed.craftedsignal.io/briefs/2026-07-yeswiki-second-order-sqli/</link><pubDate>Thu, 09 Jul 2026 21:09:58 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-yeswiki-second-order-sqli/</guid><description>A critical second-order SQL injection vulnerability (GHSA-8f2v-2qhj-gfwg) in YesWiki versions up to 4.6.5 allows a low-privilege authenticated attacker to execute arbitrary SQL commands via an unescaped page tag in the `ApiController::deletePage()` API, leading to time-based blind data exfiltration.</description><content:encoded><![CDATA[<p>A critical second-order SQL injection vulnerability (GHSA-8f2v-2qhj-gfwg) has been identified in YesWiki versions up to and including 4.6.5, affecting its <code>ApiController::deletePage()</code> API endpoint. This flaw allows a low-privilege authenticated attacker to execute arbitrary SQL commands within the wiki's database, leading to potential data exfiltration. The vulnerability occurs because the application, while correctly escaping SQL metacharacters upon initial insertion of a page tag (e.g., <code>SleepTag' OR SLEEP(2)-- </code>) into the <code>yeswiki_pages</code> table, fails to re-escape this stored, attacker-controlled tag when it's later retrieved and used in a <code>DELETE FROM ..._links WHERE to_tag = '$tag'</code> query. This second-order behavior bypasses typical input validation and enables time-based blind data exfiltration of sensitive information like user credentials, private page content, and other database records. The issue is exposed via the <code>DELETE /api/pages/{tag}</code> route, which is accessible to any authenticated user.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Compromise</strong>: A low-privilege authenticated user gains access to a YesWiki instance.</li>
<li><strong>Malicious Page Creation</strong>: The attacker sends a <code>POST</code> request to <code>/api/pages/{tag}</code> with a URL-encoded malicious tag (e.g., <code>SleepTag%27%20OR%20SLEEP(2)--%20</code>) containing SQL metacharacters. This tag is stored unescaped in the <code>yeswiki_pages</code> database table.</li>
<li><strong>Linker Page Creation</strong>: The attacker creates a second, benign page, for example, <code>LinkPoc</code>, via <code>POST /api/pages/LinkPoc</code>.</li>
<li><strong>Establish Link</strong>: The attacker updates the <code>LinkPoc</code> page (e.g., via the <code>LinkPoc/edit</code> web editor handler) to include a reference to the malicious page using <code>{{include page=&quot;&lt;evil tag&gt;&quot;}}</code>. This action causes the application to insert a row into the <code>yeswiki_links</code> table, establishing a link to the malicious page and storing its raw, unescaped tag as <code>to_tag</code>.</li>
<li><strong>Vulnerability Trigger</strong>: The attacker sends a <code>DELETE</code> request to <code>/api/pages/{evil-tag}</code> for the malicious page. The <code>DELETE</code> request targets the same URL-encoded malicious tag as created in step 2.</li>
<li><strong>SQL Injection Execution</strong>: During the deletion process, the YesWiki application retrieves the stored malicious tag from the database and uses it unescaped in an SQL query like <code>DELETE FROM yeswiki_links WHERE to_tag = '$tag'</code>. The injected SQL (e.g., <code>OR SLEEP(2)-- </code>) is then executed within the database.</li>
<li><strong>Data Exfiltration</strong>: By varying the injected SQL payload, such as using conditional <code>SLEEP()</code> statements, the attacker can perform time-based blind data exfiltration of sensitive information from any accessible database table.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability can lead to time-based blind exfiltration of sensitive data from the YesWiki database. This includes highly sensitive information such as user password hashes (<code>_users.password</code>), email addresses, Access Control List (ACL) configurations (<code>_acls.list</code>), private page bodies (<code>_pages.body</code>), and database session data. Given the &quot;acl:+&quot; access control, any authenticated user, regardless of their privilege level, can initiate this attack. The impact can range from unauthorized disclosure of user data to full compromise of the wiki's content and user base.</p>
<h2 id="recommendation">Recommendation</h2>
<ol>
<li>Immediately patch YesWiki installations to the latest version to address GHSA-8f2v-2qhj-gfwg.</li>
<li>Deploy the <code>Detect YesWiki SQLi Attempt via URL-encoded Single Quote</code> Sigma rule to your SIEM and tune it for your environment.</li>
<li>Enable comprehensive webserver logging (e.g., access logs) for the <code>webserver</code> category to activate the provided Sigma rule.</li>
</ol>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>sql-injection</category><category>web-application</category><category>vulnerability</category><category>yeswiki</category><category>ghsa</category></item></channel></rss>