GHSA-9369-69wj-7m2f: YesWiki Vulnerable to Authenticated PHP Object Injection in BazarImportAction via unserialize
Details
Sink
tools/bazar/services/CSVManager.php line 372-399:
public function importEntry(array $importedEntries, string $formId): ?array
{
if (!$this->importdone) {
// ...
foreach ($importedEntries as $entry) {
$entry = unserialize(base64_decode($entry)); // <-- SINK
$entry = array_map('strval', $entry);
// ...
There is no ['allowed_classes' => false] argument; arbitrary classes are instantiated. The subsequent array_map('strval', $entry) additionally exercises __toString on each top-level array element, doubling the magic-method surface available to a gadget chain.
Source
tools/bazar/actions/BazarImportAction.php:
// formatArguments()
'mode' => (isset($_POST['submit_file']) && !empty($_FILES['fileimport']['name'])) ? 'submitfile' :
(isset($_POST['importfiche']) ? 'importentries' : 'default'),
'importentries' => $_POST['importfiche'] ?? null,
// run()
case 'importentries':
// ...
$importedEntries = $this->CSVManager->importEntry($this->arguments['importentries'], $vID['id']);
break;
$_POST['importfiche'] flows directly to the sink. The mode switches to 'importentries' whenever the request body contains the key, so an attacker need only POST importfiche[0]=<payload>.
Reachability
1. The action is registered as bazarimport. The default BazaR page (setup/sql/default-content.sql -> BazaR page entry, ships with {{bazar showexportbuttons="1"}}) routes ?BazaR&vue=importer&id_typeannonce=<N> to BazarAction::run() -> case VOIR_IMPORTER -> callAction('bazarimport', ...) (tools/bazar/actions/BazarAction.php:257-258). So the sink is reachable on a default install with no extra page authoring.
2. BazarImportAction::run() calls $this->checkSecuredACL() with the default $adminOnly=true. Only wiki admins (or accounts the admin has added to the bazarimport action ACL) can execute it.
3. The importentries branch does NOT invoke CsrfTokenController::checkToken(...). Grepping tools/bazar/actions/BazarImportAction.php confirms the action class has no csrf or checkToken re
Details
Original advisory: https://github.com/advisories/GHSA-9369-69wj-7m2f
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-52777 | coverage & exploitation status | NVD · CVE.org |
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10