YetAnotherForum.NET Unauthenticated Stored Cross-Site Scripting Vulnerability in Admin Event Log

A stored cross-site scripting vulnerability has been identified in YetAnotherForum.NET (YAF.NET) versions prior to 4.0.5 and 3.2.12. The issue arises in the application's database logger, which captures the User-Agent header from incoming requests, serializes it as JSON, and stores it in the EventLog.Description column. This data is later deserialized and rendered as HTML in the admin event-log page, without proper sanitization. The vulnerability can be exploited by sending a single HTTP request with a malicious User-Agent header to a public, unauthenticated endpoint, which then persists the payload. When an administrator views the event log, the injected script executes in their browser, potentially leading to a full forum takeover.

Impact

Exploitation allows for unauthenticated execution of JavaScript in an administrator's browser, with the script running in the context of the admin's session. This could enable an attacker to create new admin accounts, modify site settings, or access user data through admin-only channels. Such an exploit effectively compromises the entire forum, especially given the lack of authentication requirements, allowing for widespread automated attacks.

Reproduction

To reproduce this vulnerability, send an HTTP request to the '/api/Attachments/GetAttachment' endpoint with a malicious User-Agent header that includes JavaScript payload, such as an image tag with an 'onerror' event. This request should be made without any authentication tokens or cookies. The server will respond with an error, but the injected payload will be logged in the event database. Then, as an administrator, access the '/Admin/EventLog' page to see the executed script in action.

Remediation

Users can upgrade to YetAnotherForum.NET versions 4.0.5 or 3.2.12 to address this vulnerability.