CVE-2025-31131 Scanner

YesWiki is an open-source collaborative wiki platform developed in PHP, designed to facilitate knowledge sharing and documentation. It is widely used by communities, non-profits, and small organizations to manage collaborative content. The platform supports customizable themes, user management, and WYSIWYG editing for ease of use. Due to its PHP-based architecture, it is commonly hosted on shared web servers and integrated with other CMS platforms. It is favored for grassroots documentation, team coordination, and educational purposes. However, its accessibility and flexibility can sometimes introduce risks when misconfigured or outdated versions are in use.

This scanner targets a high-severity Path Traversal vulnerability found in YesWiki versions prior to 4.5.2. The vulnerability allows unauthenticated attackers to read arbitrary files on the server by exploiting the `squelette` parameter. By manipulating the path structure through directory traversal sequences (`../`), attackers can access sensitive system files. The attack does not require user interaction or elevated permissions. This exposure of server-side files can lead to reconnaissance, leakage of credentials, or reveal configurations aiding further exploitation. The issue has been assigned a CVSS score of 8.6 due to its ease of exploitation and potential impact.

The vulnerability is exploited through a specially crafted GET request that appends directory traversal strings to the `squelette` parameter. For instance, targeting `/etc/passwd` can reveal user information on Unix-like systems. The scanner sends this request and validates exploitation by checking the response for both a known YesWiki marker (`YesWiki-main`) and content indicating success (e.g., the presence of "root:x:0:0"). This confirms both the system context and successful file access. The flaw arises from insufficient sanitization of the `squelette` input, which is used in file handling logic without proper validation.

Exploitation can lead to serious consequences such as leakage of sensitive data, credentials, and configuration files. Attackers may use the disclosed information to launch targeted attacks, escalate privileges, or pivot to other parts of the system. In shared hosting environments, this may even affect other hosted applications. Since the vulnerability is exploitable without authentication, it poses a high risk to publicly accessible YesWiki instances. Timely patching and access control are critical to mitigating this issue.

REFERENCES

• https://github.com/advisories/GHSA-w34w-fvp3-68xm
• https://github.com/YesWiki/yeswiki/commit/f78c915369a60c74ab8f38561ae93a4aaca9b989
• https://github.com/YesWiki/yeswiki/security/advisories/GHSA-w34w-fvp3-68xm