SiYuan Conf and SQL Index Manipulation Vulnerability in Publish-Mode Reader

A vulnerability exists in SiYuan versions through 3.6.5, allowing the publish-mode Reader to unauthorizedly modify configuration and SQL index data via eight unprotected APIs. These APIs, which include endpoints for graph management, synchronization settings, and document view times, are only authenticated with model.CheckAuth. This oversight enables any user with a valid JWT, including anonymous publish visitors, to alter server-side state. The vulnerability arises from the failure to implement necessary administrative and read-only checks, leaving critical application data exposed to unauthorized modifications.

Impact

Exploitation allows a publish-mode Reader to disrupt application settings and data integrity by overwriting configuration files, manipulating synchronization intervals, poisoning search results, and altering document history records.

Reproduction

The vulnerability can be reproduced by authenticating as a user with model.CheckAuth access, such as a publish-mode Reader or a RoleEditor in a read-only workspace. After logging in, the current synchronization interval and graph configuration can be retrieved. The vulnerable APIs can then be used to overwrite the graph settings, synchronization interval, or recent document history. For instance, the 'getGraph' API can be used to inject a custom graph configuration, which will be saved and persist both in memory and on disk. Similarly, the 'updateEmbedBlock' API can be used to alter the content of SQL embed blocks, affecting what is visible to other users.

Remediation

Users should update to SiYuan version 3.7.0, where this vulnerability has been addressed.