CVE-2015-5467 in Yii Yii2
Summary
by MITRE • 09/21/2023
web\ViewAction in Yii (aka Yii2) 2.x before 2.0.5 allows attackers to execute any local .php file via a relative path in the view parameeter.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 08/26/2025
The vulnerability identified as CVE-2015-5467 affects the Yii 2.x web framework version 2.0.4 and earlier, representing a critical path traversal flaw that enables remote code execution through improper input validation. This vulnerability resides within the web\ViewAction component where the framework fails to properly sanitize the view parameter, allowing attackers to manipulate file paths and execute arbitrary PHP code on the server. The flaw stems from inadequate validation of user-supplied input that is directly incorporated into file system operations without proper sanitization or access control measures.
The technical implementation of this vulnerability exploits the framework's handling of view parameters where attackers can manipulate the view argument to traverse the file system using relative paths. When the web\ViewAction processes a request with a malicious view parameter containing sequences like ../ or ..\, the framework resolves these paths relative to the application's document root, potentially allowing access to sensitive files or execution of arbitrary PHP scripts. This represents a classic path traversal vulnerability that falls under CWE-22, which specifically addresses improper limitation of a pathname to a restricted directory.
The operational impact of CVE-2015-5467 extends far beyond simple file access, as it enables attackers to execute arbitrary PHP code on the affected server, potentially leading to complete system compromise. An attacker could leverage this vulnerability to read sensitive configuration files, database credentials, or application source code, and subsequently gain persistent access to the server through backdoor installation or privilege escalation. The vulnerability affects any application built on Yii 2.0.4 or earlier that uses the default web\ViewAction without proper input validation or custom security measures.
Security professionals should recognize this vulnerability as a prime example of how insufficient input validation can lead to severe remote code execution scenarios, aligning with ATT&CK technique T1059.007 for command and script injection. The attack surface is particularly concerning for web applications that utilize the Yii framework's default view handling mechanisms, as the vulnerability can be exploited through simple HTTP requests without requiring authentication. Organizations should immediately upgrade to Yii 2.0.5 or later versions where proper input sanitization has been implemented to prevent path traversal attacks. Additional mitigations include implementing proper input validation at the application level, restricting file system access through proper directory permissions, and employing web application firewalls to detect and block suspicious path traversal attempts. The vulnerability also highlights the importance of following secure coding practices such as input validation, output encoding, and principle of least privilege when developing web applications to prevent similar security flaws from occurring in the future.