SiYuan WebSocket Authentication Bypass Vulnerability Allowing Cross-Origin Information Disclosure

A vulnerability in SiYuan personal knowledge management system, in versions through 3.5.9, allows unauthenticated WebSocket connections to the server. This is achieved by including specific URL parameters in the request. The vulnerability bypasses authentication checks and enables any external client, including malicious websites, to connect and receive real-time server push events. These events can leak sensitive document metadata, such as titles, notebook names, file paths, and details of all CRUD operations performed by authenticated users. The lack of Origin header validation further facilitates this cross-origin WebSocket hijacking, allowing monitoring of a user's note-taking activity without their knowledge.

Impact

Exploitation of this vulnerability leads to unauthorized access to a user's SiYuan WebSocket, allowing interception of sensitive document metadata and real-time monitoring of document-related activities, such as creation, deletion, and modifications.

Reproduction

The vulnerability can be reproduced by connecting to the WebSocket endpoint '/ws' with the required URL parameters '?app=siyuan&id=auth&type=auth'. This can be done using a WebSocket client or through a browser, if the target SiYuan instance is running locally and has 'accessAuthCode' configured. Once connected, all broadcast events, including sensitive document operations, will be received in real-time.

Remediation

Users can update to SiYuan version 3.6.1, which addresses this vulnerability by removing the authentication bypass and adding Origin header validation.