YesWiki Unsafe eval() Vulnerability in Bazar Form Field Calculator Allowing Remote Code Execution and Denial-of-Service

A vulnerability allowing remote code execution and denial-of-service has been identified in YesWiki versions prior to 4.6.6. The issue resides in the Bazar form field calculator, specifically within the 'CalcField.php' file. The vulnerability arises because the application attempts to sanitize user-defined mathematical formulas using a complex recursive regular expression. This sanitized input is then passed to the PHP eval() function, creating a high-risk scenario. The regular expression can be exploited to cause a stack overflow, crashing the server, and if the regex validation is bypassed, it allows arbitrary PHP code execution via eval().

Impact

Exploitation of this vulnerability can lead to unauthorized execution of PHP code on the server, with the executed code running under the privileges of the web server user. This could result in a full compromise of the host. Additionally, the vulnerability allows for a denial-of-service condition by causing a segmentation fault that crashes the PHP process handling the request.

Reproduction

To reproduce this vulnerability, create or edit a Bazar form and add a Calc field. Inject a deeply nested mathematical formula that exploits the regular expression validation. For example, a payload with thousands of nested parentheses can be used to cause a stack overflow, leading to a server crash. Alternatively, if the regex validation is bypassed, a PHP payload can be injected and executed via the eval() function.

Remediation

Users are advised to upgrade to YesWiki version 4.6.6 or later, where this vulnerability has been patched.