Yii Framework Component Class Unsafe Reflection Vulnerability Allowing Arbitrary Class Instantiation

A vulnerability exists in the Yii Framework version 2.0.48 within the base Component class. The issue arises because the `__set()` magic method fails to validate whether the value provided is a legitimate Behavior class name or configuration. This oversight enables an attacker to instantiate arbitrary classes, manipulate constructor parameters, and invoke setter methods. Exploitation possibilities vary based on the application's dependencies, potentially leading to arbitrary code execution, unauthorized access, or exposure of sensitive information.

Impact

Exploitation of this vulnerability could result in unauthorized access, particularly in a widely used product built on Yii2, where an anonymous user could gain admin rights. Additionally, the vulnerability could be exploited to execute arbitrary code or cause a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by sending a POST request with a JSON payload that includes a property formatted as 'as <behavior-name>'. The value of this property should be an object that specifies the class to be instantiated, along with any constructor parameters. This payload can be sent to a controller action that processes the incoming request without proper validation, allowing the arbitrary class instantiation to occur.

Remediation

Users can upgrade to Yii Framework version 2.0.50, where this vulnerability has been fixed.