PT-2026-57036 · Packagist · Yeswiki/Yeswiki
Published
2026-07-09
·
Updated
2026-07-09
·
CVE-2026-52777
CVSS v4.0
9.4
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
Details
Sink
tools/bazar/services/CSVManager.php line 372-399:public function importEntry(array $importedEntries, string $formId): ?array
{
if (!$this->importdone) {
// ...
foreach ($importedEntries as $entry) {
$entry = unserialize(base64 decode($entry)); // <-- SINK
$entry = array map('strval', $entry);
// ...There is no
['allowed classes' => false] argument; arbitrary classes are instantiated. The subsequent array map('strval', $entry) additionally exercises toString on each top-level array element, doubling the magic-method surface available to a gadget chain.Source
tools/bazar/actions/BazarImportAction.php:// formatArguments()
'mode' => (isset($ POST['submit file']) && !empty($ FILES['fileimport']['name'])) ? 'submitfile' :
(isset($ POST['importfiche']) ? 'importentries' : 'default'),
'importentries' => $ POST['importfiche'] ?? null,
// run()
case 'importentries':
// ...
$importedEntries = $this->CSVManager->importEntry($this->arguments['importentries'], $vID['id']);
break;$ POST['importfiche'] flows directly to the sink. The mode switches to 'importentries' whenever the request body contains the key, so an attacker need only POST importfiche[0]=<payload>.Reachability
-
The action is registered as
bazarimport. The defaultBazaRpage (setup/sql/default-content.sql->BazaRpage entry, ships with{{bazar showexportbuttons="1"}}) routes?BazaR&vue=importer&id typeannonce=<N>toBazarAction::run()->case VOIR IMPORTER -> callAction('bazarimport', ...)(tools/bazar/actions/BazarAction.php:257-258). So the sink is reachable on a default install with no extra page authoring. -
BazarImportAction::run()calls$this->checkSecuredACL()with the default$adminOnly=true. Only wiki admins (or accounts the admin has added to thebazarimportaction ACL) can execute it. -
The
importentriesbranch does NOT invokeCsrfTokenController::checkToken(...). Greppingtools/bazar/actions/BazarImportAction.phpconfirms the action class has nocsrforcheckTokenreference at all. This is asymmetric with sibling actions:tools/bazar/controllers/FormController.phpdoes callcheckToken('main', 'POST', 'confirmDeleteToken')for destructive operations. The import path skips the same protection. -
Therefore the full kill chain for a remote attacker is:
a. Identify any admin user on the target wiki.
b. Deliver an HTML page (email, chat, link) that auto-POSTs
importfiche[0]=<base64-encoded PHPGGC payload> to https://<wiki>/?BazaR&vue=importer&id typeannonce=1.
c. The admin's session cookie is sent automatically; the action passes checkSecuredACL; the unserialize fires.Gadget chain availability
composer.json requires doctrine/annotations ^1.11 and doctrine/cache ^1.10. Both have published PHPGGC chains (Doctrine/RCE1, Doctrine/FW1, Doctrine/FW2, etc., from https://github.com/ambionics/phpggc). These chains terminate in either system($cmd) (RCE1) or file put contents($php file, $contents) (FW1) entry-points -- both sufficient to give the attacker shell on the YesWiki host.This advisory does not include a working PHPGGC chain end-to-end (writing a chain that survives YesWiki's exact dependency-resolved class graph is separate work). The PoC demonstrates the primitive (attacker-controlled class instantiation + magic-method execution); the chain is a downstream exercise using public tooling.
Past advisories cross-check
YesWiki's published GitHub advisories cover XSS, SQLi, arbitrary-PHP-file-write RCE, path traversal, and unauthenticated backup download. None covers an
unserialize / PHP-object-injection sink, so this is a novel vulnerability class for the project.PoC
A self-contained PoC reproducing the inner loop is available; it copies the exact two-line sink and proves that attacker-controlled
destruct runs without booting the full application.Run:
php poc.phpOutput (verbatim):
Crafted importfiche[0] payload (form-ready, urlencoded):
YToxOntpOjA7Tzo2OiJHYWRnZXQiOjE6e3M6NjoibWFya2VyIjtzOjIyOiJQV05FRC1GUk9NLVVOU0VSSUFMSVpFIjt9fQ%3D%3D
== before importEntry ==
[Gadget] destruct fired with marker='PWNED-FROM-UNSERIALIZE'
PHP Fatal error: Uncaught Error: Object of class Gadget could not be converted to string ...
[Gadget] destruct fired with marker='PWNED-FROM-UNSERIALIZE'The two
[Gadget] destruct fired lines (one from inside the loop, one from the engine shutdown after the TypeError) confirm that the attacker-defined Gadget:: destruct executed -- with the attacker-supplied marker -- inside the unmodified importEntry code path.End-to-end against a live YesWiki install:
curl -i -b "yeswiki session=<admin cookie>"
-X POST "https://wiki.example.com/?BazaR&vue=importer&id typeannonce=1"
--data-urlencode
"importfiche[0]=YToxOntpOjA7Tzo2OiJHYWRnZXQiOjE6e3M6NjoibWFya2VyIjtzOjIyOiJQV05FRC1GUk9NLVVOU0VSSUFMSVpFIjt9fQ=="(replace the payload with a real PHPGGC
Doctrine/FW1 or Doctrine/RCE1 output to obtain RCE on the target host).Impact
- Authenticated wiki admin who lands on attacker-controlled HTML obtains remote code execution on the YesWiki server (via the cross-site forgery path; no admin interaction with the import UI is required).
- An attacker who has already compromised an admin password upgrades from "wiki content management" to "OS shell on the hosting box".
- The compromise survives the wiki layer entirely: the attacker can write web shells, exfiltrate other sites on shared hosting, modify
wakka.config.php, dump the MySQL database, and pivot from there.
Suggested fix
tools/bazar/services/CSVManager.php::importEntry-- pass['allowed classes' => false]tounserialize, or, better, replace the base64+serialize transport with the JSON transport the current UI already uses (?api/entries/{formId}POST intools/bazar/presentation/javascripts/bazar-import.js). The serialized-PHP transport appears to be an unused legacy path.tools/bazar/actions/BazarImportAction.php-- add aCsrfTokenController::checkToken('main', 'POST', 'csrf-token', false)guard for the'importentries'mode (and any other state-changing modes). The existingtools/bazar/controllers/FormController.phppattern can be lifted directly.
Fix
CSRF
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Yeswiki/Yeswiki