CVE-2015-5467

Vulnerability

Overview

CVE-2015-5467 is a local file inclusion (LFI) vulnerability in the Yii2 framework (versions 2.x before 2.0.5). The flaw resides in the web\ViewAction class, which fails to properly sanitize the view parameter. An attacker can supply a relative path (e.g., ../../path/to/file) to include and execute any local .php file on the server [2].

Exploitation

To exploit this vulnerability, an attacker must have access to a Yii2 application that uses the ViewAction action (commonly mapped to routes like site/page). No authentication is required if the action is publicly accessible. By manipulating the view parameter with path traversal sequences, the attacker can force the application to include arbitrary PHP files from the filesystem, such as configuration files, logs, or uploaded payloads [3].

Impact

Successful exploitation allows an attacker to execute arbitrary PHP code with the privileges of the web server. This can lead to full compromise of the application, including data theft, privilege escalation, and lateral movement within the hosting environment. The vulnerability is particularly dangerous because it does not require file upload functionality—any existing .php file on the system can be executed [2][3].

Mitigation

The issue was fixed in Yii2 version 2.0.5. Users are strongly advised to upgrade to this version or later. No workarounds are documented; the only reliable mitigation is to apply the patch. The vulnerability is listed in the FriendsOfPHP security advisories, confirming its severity and the need for immediate action [3][4].