{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/yeswiki/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["yeswiki","sql-injection","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eYesWiki versions 4.6.0 and earlier are vulnerable to SQL injection in the bazar module. This vulnerability exists in \u003ccode\u003etools/bazar/services/EntryManager.php\u003c/code\u003e within the \u003ccode\u003eformatDataBeforeSave()\u003c/code\u003e function. The \u003ccode\u003e$data['id_fiche']\u003c/code\u003e value, derived from the \u003ccode\u003e$_POST['id_fiche']\u003c/code\u003e parameter, is directly concatenated into a raw SQL query without proper sanitization. An authenticated attacker can exploit this by sending a crafted POST request to the \u003ccode\u003e/api/entries/{formId}\u003c/code\u003e endpoint. Successful exploitation enables time-based blind SQL injection, potentially leading to complete database compromise. The vulnerability was confirmed using a Docker PoC demonstrating the ability to induce a time delay using the SLEEP() function within the injected SQL.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the YesWiki application as any user. This requires a valid \u003ccode\u003ewikini_session\u003c/code\u003e cookie.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a POST request to \u003ccode\u003e/api/entries/{formId}\u003c/code\u003e, where \u003ccode\u003e{formId}\u003c/code\u003e is the ID of an existing bazar form.\u003c/li\u003e\n\u003cli\u003eThe POST request includes the \u003ccode\u003eid_fiche\u003c/code\u003e parameter with a malicious SQL payload, such as \u003ccode\u003e' OR SLEEP(3) OR '\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eApiController::createEntry()\u003c/code\u003e processes the request and calls \u003ccode\u003eisEntry($_POST['id_fiche'])\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eSince the injected SQL will likely not correspond to an existing entry, the \u003ccode\u003ecreate()\u003c/code\u003e method is invoked.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecreate()\u003c/code\u003e method calls \u003ccode\u003eformatDataBeforeSave()\u003c/code\u003e, which contains the SQL injection vulnerability at line 704 in \u003ccode\u003eEntryManager.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe injected SQL payload is executed by the database server via \u003ccode\u003edbService-\u0026gt;loadSingle()\u003c/code\u003e, without proper escaping or parameterization.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker can extract sensitive information from the database, such as usernames, passwords, and other confidential data. They can also modify data within the database.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability can lead to the complete compromise of the YesWiki database. This includes the potential to access and exfiltrate sensitive data, such as user credentials, configuration details, and business-critical information. Attackers can also modify or delete data, leading to data integrity issues and service disruption. Since any authenticated user can trigger the vulnerability, the impact is widespread. The vulnerability affects composer/yeswiki/yeswiki versions 4.6.0 and earlier.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the provided patch in \u003ccode\u003etools/bazar/services/EntryManager.php\u003c/code\u003e by escaping the \u003ccode\u003e$data['id_fiche']\u003c/code\u003e value before using it in the SQL query (see Proposed Fix in Content section).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect YesWiki SQL Injection Attempt via API Entries\u0026rdquo; to detect attempts to exploit this vulnerability via suspicious \u003ccode\u003eid_fiche\u003c/code\u003e POST data.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/api/entries/*\u003c/code\u003e with unusually long or complex \u003ccode\u003eid_fiche\u003c/code\u003e parameters, as this could indicate a SQL injection attempt.\u003c/li\u003e\n\u003cli\u003eReview and audit all database queries within the YesWiki application to identify and remediate any other potential SQL injection vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-18T01:00:30Z","date_published":"2026-04-18T01:00:30Z","id":"/briefs/2024-01-24-yeswiki-sqli/","summary":"YesWiki is vulnerable to authenticated SQL Injection via the id_fiche parameter in the EntryManager::formatDataBeforeSave() function, allowing attackers to inject arbitrary SQL commands and potentially extract sensitive data.","title":"YesWiki Authenticated SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-24-yeswiki-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed — Yeswiki","version":"https://jsonfeed.org/version/1.1"}