SiYuan Knowledge Management System Authorization Bypass Vulnerability in Full Text Search API Allowing Arbitrary SQL Execution

A critical authorization bypass vulnerability has been identified in SiYuan versions through 3.6.0, specifically within the '/api/search/fullTextSearchBlock' endpoint. This vulnerability allows authenticated users, including those with the Reader role, to execute arbitrary SQL statements against the application's SQLite database. The issue arises because the endpoint directly processes user-supplied input as raw SQL without proper authorization or read-only checks, contrary to the application's security model which restricts SQL execution to administrators in read-write mode via the dedicated SQL endpoint. The vulnerability can be exploited to perform destructive database operations, such as deleting data or dropping tables, and has been patched in version 3.6.1.

Impact

Exploitation of this vulnerability allows for arbitrary SQL execution, including destructive operations such as deleting database entries or dropping tables, which can disrupt application functionality. Additionally, it enables unauthorized access to confidential data stored in the application's database.

Reproduction

To reproduce this vulnerability, authenticate as a user with the Reader role and obtain a valid session token. Then, send a POST request to the '/api/search/fullTextSearchBlock' endpoint with the 'method' parameter set to '2' and include a SQL query in the 'query' parameter. The absence of authorization checks for this endpoint will allow the execution of the supplied SQL query, with the potential to manipulate or delete database records.

Remediation

Users are advised to update to SiYuan version 3.6.1, where this vulnerability has been fixed.