CVE-2023-26750
📋 TL;DR
This SQL injection vulnerability in Yii Framework 2 allows remote attackers to execute arbitrary SQL commands through the runAction function, potentially leading to data theft, modification, or complete system compromise. It affects applications using Yii 2 Framework versions before 2.0.47. The software maintainer disputes this is a framework vulnerability, attributing it to third-party code implementation.
💻 Affected Systems
- Yii Framework 2
📦 What is this software?
Yii by Yiiframework
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise allowing data exfiltration, modification, deletion, or remote code execution through database functions.
Likely Case
Unauthorized data access, privilege escalation, or data manipulation in affected applications.
If Mitigated
Limited impact with proper input validation, parameterized queries, and database permission restrictions in place.
🎯 Exploit Status
SQL injection vulnerabilities are commonly exploited. Public discussion and technical details available in GitHub issues.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.47
Vendor Advisory: https://github.com/yiisoft/yii2/issues/19755
Restart Required: No
Instructions:
1. Update Yii Framework to version 2.0.47 or later using composer: 'composer require yiisoft/yii2:^2.0.47' 2. Review and update any third-party extensions or custom code using runAction with user input.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation and parameterized queries for all user-controlled inputs passed to runAction.
Database Permission Restriction
allLimit database user permissions to minimum required operations (SELECT only where possible).
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to detect and block SQL injection patterns
- Isolate database server and implement network segmentation to limit potential damage
🔍 How to Verify
Check if Vulnerable:
Check composer.json or Yii version constant: Yii::getVersion() should be < 2.0.47Check Version:
php -r "echo Yii::getVersion();"Verify Fix Applied:
Confirm Yii version is 2.0.47 or higher: Yii::getVersion() >= '2.0.47'📡 Detection & Monitoring
Log Indicators:
- Unusual database queries from web application
- SQL syntax errors in application logs
- Multiple failed login attempts or unusual parameter patterns
Network Indicators:
- Unusual database connection patterns from application servers
- Large data transfers from database to unexpected destinations
SIEM Query:
web_logs WHERE (url CONTAINS 'runAction' AND parameters MATCH '.*[;'"].*') OR (status_code = 500 AND message CONTAINS 'SQL')🔗 References
- https://github.com/yiisoft/yii2/issues/19755
- https://github.com/yiisoft/yii2/issues/19755#issuecomment-1426155955
- https://github.com/yiisoft/yii2/issues/19755#issuecomment-1505390813
- https://github.com/yiisoft/yii2/issues/19755#issuecomment-1505560351
- https://github.com/yiisoft/yii2/issues/19755
- https://github.com/yiisoft/yii2/issues/19755#issuecomment-1426155955
- https://github.com/yiisoft/yii2/issues/19755#issuecomment-1505390813
- https://github.com/yiisoft/yii2/issues/19755#issuecomment-1505560351
