CVE-2021-43091
📋 TL;DR
This SQL injection vulnerability in Yeswiki Doryphore allows attackers to execute arbitrary SQL commands through the email parameter in the registration form. This affects all users running vulnerable versions of Yeswiki Doryphore, potentially leading to data theft, authentication bypass, or complete system compromise.
💻 Affected Systems
- Yeswiki Doryphore
📦 What is this software?
Yeswiki by Yeswiki
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data exfiltration, authentication bypass, privilege escalation, and potential remote code execution via database functions.
Likely Case
Data extraction from the database, including user credentials, personal information, and potentially administrative access to the wiki.
If Mitigated
Attack fails due to proper input validation and parameterized queries, resulting in no impact.
🎯 Exploit Status
SQL injection via registration form requires no authentication and has public proof-of-concept available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after commit c9785f9a92744c3475f9676a0d8f95de24750094
Vendor Advisory: https://github.com/yeswiki/yeswiki/commit/c9785f9a92744c3475f9676a0d8f95de24750094
Restart Required: No
Instructions:
1. Update Yeswiki Doryphore to the latest version. 2. Apply the specific patch from commit c9785f9a92744c3475f9676a0d8f95de24750094. 3. Verify the fix by testing the registration form with SQL injection payloads.
🔧 Temporary Workarounds
Disable Registration
allTemporarily disable user registration functionality to prevent exploitation.
Modify configuration to disable registration form
WAF Rule
allImplement web application firewall rules to block SQL injection patterns in email parameters.
Add WAF rule: Block requests with SQL keywords in email parameter
🧯 If You Can't Patch
- Implement input validation to reject email addresses containing SQL special characters
- Deploy a web application firewall with SQL injection detection rules
🔍 How to Verify
Check if Vulnerable:
Test the registration form with SQL injection payloads like ' OR '1'='1 in the email field and observe database errors or unexpected behavior.Check Version:
Check the Yeswiki version in the administration panel or review the commit hash in the installation directory.Verify Fix Applied:
After patching, attempt the same SQL injection tests and verify they are rejected or properly sanitized without database errors.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in application logs
- Multiple failed registration attempts with special characters
- Registration attempts from unusual IP addresses
Network Indicators:
- HTTP POST requests to registration endpoint containing SQL keywords in parameters
- Abnormal database query patterns
SIEM Query:
source="web_logs" AND uri="/register" AND (email="*OR*" OR email="*UNION*" OR email="*SELECT*" OR email="*INSERT*")