GHSA-vw42-752g-5mrp: YesWiki has Unauthenticated Server-Side Request Forgery via ActivityPub `Signature.keyId`
Summary
The POST /api/forms/{formId}/actor/inbox route - exposed publicly with acl:"public" - accepts an HTTP Signature header whose keyId parameter is a URL. HttpSignatureService::verifySignature() parses the header and immediately makes a server-side HTTP GET to that URL, before any cryptographic verification or URL validation. An unauthenticated remote attacker can therefore make YesWiki issue arbitrary outbound HTTP requests to any host the server can reach - internal services, cloud-metadata endpoints (169.254.169.254), intranet-only admin panels, etc. - and read enough back via timing and error-message oracles to scan ports, enumerate services, and (on a real cloud instance) reach IAM metadata.
The only deployment-side precondition is that ActivityPub be enabled on at least one Bazar form (bn_activitypub_enable = '1').
Details
Affected component
- File: tools/bazar/services/HttpSignatureService.php
- Method: HttpSignatureService::verifySignature(Request $request)
- Sink: line 96
- Route: tools/bazar/controllers/ApiController.php line 125 — @Route("/api/forms/{formId}/actor/inbox", methods={"POST"}, options={"acl":{"public"}})
// tools/bazar/services/HttpSignatureService.php (v4.6.5 = origin/doryphore-dev HEAD,
// lines 83–100)
public function verifySignature(Request $request) {
if (!$request->headers->has('Signature')) {
throw new Exception('No signature');
}
$sigConf = parse_ini_string(
strtr($request->headers->get('Signature'), ["," => "\n"]) // (a) attacker controls every field
);
if (!isset($sigConf['keyId'],$sigConf['algorithm'],$sigConf['headers'],$sigConf['signature'])) {
throw new Exception('Malformed signature');
}
$response = $this->httpClient->request('GET', $sigConf['keyId'], [ // (b) SINK — no validation,
'headers' => [ 'Accept' => 'application/ld+json'] // no allowlist, no scheme
]); // pinning, no IP filtering
...
}
The inbox controller calls verifySignature() before running any cryptography:
// tools/bazar/controllers/ApiController.php
Details
Original advisory: https://github.com/advisories/GHSA-vw42-752g-5mrp
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-52769 | coverage & exploitation status | NVD · CVE.org |
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10