Yii 2 Local File Inclusion Vulnerability in View Rendering Method

A local file inclusion vulnerability has been identified in Yii 2 versions prior to 2.0.54. The issue arises in the core view rendering method `View::renderPhpFile()`, where flawed logic allows a caller-controlled `_file_` parameter to overwrite the internal variable that specifies which file to include. This vulnerability could lead to arbitrary file read, and potentially remote code execution if an attacker can write PHP files through a separate method.

Impact

Exploitation of this vulnerability allows for local file inclusion, with the possibility of remote code execution if the attacker can write PHP files via another vulnerability.

Reproduction

To reproduce this vulnerability, create a view file containing PHP code, such as a simple echo statement. Then, use the `renderFile` method of the `View` class, passing an array as the second parameter. Include a `_file_` key in this array, pointing to a file that should not be included, such as a text file. The vulnerable method will include the specified file, demonstrating the local file inclusion flaw.

Remediation

Users can upgrade to Yii 2 version 2.0.55 or later, where this vulnerability has been fixed.