GHSA-f58v-p6j9-24c2: Authenticated SQL Injection in YesWiki Bazar Module

YesWiki is an open-source wiki software. The Bazar module extends the wiki with structured data entry capabilities. Within this module, the EntryManager service handles the creation and modification of these entries.

The vulnerability is categorized as CWE-89: Improper Neutralization of Special Elements used in an SQL Command. The application fails to sanitize user-supplied input before embedding it within a database query.

An attacker with basic authenticated access (requiring only acl:{\u0022+\u0022} permissions) can leverage this flaw. By targeting the application programming interface (API) endpoints responsible for entry management, the attacker achieves arbitrary SQL execution against the backend database.

The root cause resides in the handling of HTTP POST requests within the Bazar module's EntryManager service. Specifically, the processing of the id_fiche parameter bypasses standard input sanitization routines.

When an authenticated user submits a request to the /api/entries/{formId} endpoint, the application routes the payload to ApiController::createEntry(). This controller subsequently verifies the entry's existence using the provided id_fiche value.

If the entry is not found, the controller invokes the create() method, which subsequently calls formatDataBeforeSave(). During this formatting phase, the unsanitized id_fiche value is directly concatenated into a raw SQL string.

The resulting query is passed directly to the DbService::loadSingle() method. The backend database executes the concatenated string verbatim, enabling the attacker to alter the query logic.

The specific failure occurs in tools/bazar/services/EntryManager.php at line 704. The $data['id_fiche'] variable is extracted from the incoming request payload and inserted into a SELECT statement.

$result = $this->dbService->loadSingle(
    'SELECT MIN(time) as firsttime FROM ' . $this->dbService->prefixTable('pages') .
    "WHERE tag='" . $data['id_fiche'] . "'"
);

The DbService class provides an escape() method designed to neutralize SQL metacharacters. However, the developer omitted this call when constructing the WHERE clause for the tag column.

The patched version introduces the required escape() call prior to query construction. This modification ensures that malicious input such as single quotes are properly escaped, neutralizing the injection vector.

// Patched implementation
$tag = $this->dbService->escape($data['id_fiche']);
$result = $this->dbService->loadSingle(
    'SELECT MIN(time) as firsttime FROM ' . $this->dbService->prefixTable('pages') .
    "WHERE tag='" . $tag . "'"
);

This fix completely addresses the vulnerability within this function path by ensuring that any injected SQL syntax is treated strictly as a string literal rather than executable code.

Exploitation requires the attacker to possess a valid session token corresponding to an account with basic write permissions. The attacker must construct a crafted POST request targeting the affected API endpoint.

A time-based blind SQL injection attack confirms the vulnerability by forcing the database to sleep. The attacker injects a SLEEP() command into the id_fiche parameter, observing the delayed response from the server.

curl -s -X POST 'http://<TARGET_HOST>/?api/entries/1' \
  -H 'Cookie: wikini_session=<VALID_SESSION_ID>' \
  -d "antispam=1&bf_titre=TestTitle&id_fiche=' OR SLEEP(3) OR '"

Alternatively, an error-based vector extracts data directly via verbose database error messages. By using the extractvalue function, the attacker forces the application to return the database version string within an XPath syntax error.

curl -s -X POST 'http://<TARGET_HOST>/?api/entries/1' \
  -H 'Cookie: wikini_session=<VALID_SESSION_ID>' \
  -d "antispam=1&bf_titre=TestTitle&id_fiche=' AND extractvalue(1,concat(0x7e,@@version))-- -"

Automated exploitation tools like sqlmap can readily process this injection point. By specifying the id_fiche parameter and supplying a valid session cookie, an attacker can extract the entire database schema and contents.

The vulnerability carries a CVSS 3.1 base score of 8.8, reflecting its high severity. The attack vector is strictly network-based, and exploitation requires low complexity.

The primary impact is the complete loss of database confidentiality. An attacker can systematically extract all records, including user credentials, administrative session tokens, and private wiki content.

Database integrity is equally compromised. The attacker can execute UPDATE or INSERT statements, modifying application data or elevating the privileges of their own account.

Availability is impacted if the attacker utilizes denial-of-service queries. Excessive SLEEP commands or computationally expensive joins can exhaust database connection pools, rendering the wiki inaccessible.

The vulnerability is definitively resolved in YesWiki version 4.6.1. System administrators must update their installations to this version or newer to eliminate the attack vector.

If immediate patching is not feasible, administrators can implement Web Application Firewall (WAF) rules. These rules should inspect the POST body of requests to /api/entries/ and block payloads containing SQL meta-characters like --, ', or common SQL functions.

Security teams should audit web server logs for exploitation attempts. The presence of functions like SLEEP(), extractvalue(), or concat() within the id_fiche parameter serves as a strong indicator of compromise.