SiYuan Arbitrary File Write Vulnerability via API Endpoint Leading to Remote Code Execution

A vulnerability in SiYuan, a personal knowledge management system, allows authenticated users to write files to arbitrary locations on the filesystem through the '/api/file/copyFile' endpoint. This issue arises because the 'dest' parameter is not properly validated, enabling potential remote code execution by overwriting sensitive files such as cron jobs, SSH authorized_keys, or shell configuration files. The vulnerability affects SiYuan versions prior to 3.5.5 and has been patched in that release.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary code on the server with the same privileges as the SiYuan application, potentially leading to a full system compromise. Additionally, it could allow for the establishment of a backdoor via SSH or through manipulation of shell configuration files.

Reproduction

To reproduce this vulnerability, first upload a malicious script to the SiYuan workspace using the '/api/file/putFile' endpoint. Once the file is uploaded, use the '/api/file/copyFile' endpoint to copy the file to a sensitive location, such as a cron job file or a shell configuration file. After the file is copied, execute it to demonstrate the remote code execution.

Remediation

Users can update to SiYuan version 3.5.5 or later, where this vulnerability has been fixed.