CVE-2018-7269

Vulnerability

The vulnerability resides in the findByCondition function in framework/db/ActiveRecord.php of Yii 2.x versions prior to 2.0.15. The findOne() and findAll() methods accept array input for filtering conditions, but the documentation did not explicitly warn that passing unfiltered user input could be dangerous. This lack of clarity led to potential SQL injection, as the framework did not automatically sanitize array parameters. Affected versions include all Yii 2 releases before 2.0.15 [1][2][4].

Exploitation

An attacker can exploit this vulnerability by providing malicious array input to the findOne() or findAll() methods. The attacker does not need authentication if the methods are exposed to user input via web requests. The undocumented need for input sanitization meant developers might inadvertently pass unsanitized input, allowing the attacker to inject arbitrary SQL clauses. The exploitation is straightforward – the attacker crafts array keys or values that modify the query condition [2][4].

Impact

Successful exploitation allows an attacker to execute arbitrary SQL queries against the database. This can lead to information disclosure, bypassing access control checks, data manipulation, or complete database compromise. The impact is severe because it directly affects the ActiveRecord query layer, which is commonly used in Yii applications [1][2].

Mitigation

Yii 2.0.15, released on March 21, 2018, fixes the issue by limiting findOne() and findAll() to filter only on columns that are ActiveRecord properties. Developers should upgrade to version 2.0.15 or later. As a workaround, ensure that any array input passed to these methods is properly sanitized before use [2][4]. No known inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog.