Yii2 weak secret key - Vulnerability Database

Yii2 weak secret key

Description

The Yii2 framework uses a secret key (cookieValidationKey) to cryptographically sign cookies, preventing attackers from tampering with cookie data. This application is configured with a weak, default, or publicly known secret key. As a result, an attacker can predict or obtain this key, allowing them to forge valid cookie signatures and manipulate cookie contents without detection.

Remediation

Generate a strong, unique secret key for the cookieValidationKey configuration parameter. The key should be a cryptographically random string of at least 32 characters.

1. Generate a secure random key using a cryptographic function or online generator
2. Update your application configuration file (typically config/web.php) with the new key:

return [
    // ...
    'components' => [
        'request' => [
            'cookieValidationKey' => 'your-new-random-secret-key-here',
        ],
    ],
];

3. Ensure the configuration file is not committed to version control or publicly accessible
4. Use different keys for development, staging, and production environments
5. Store the key securely using environment variables or a secrets management system for production deployments

References

The Secret Life of Sessions

Related Vulnerabilities

Severity

Medium

Classification

CWE-693

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N