Description
The Yii2 Gii extension, a web-based code generation tool, has been detected as accessible on this application. Gii is intended exclusively for development environments and should never be enabled in production systems. When properly configured, access should be restricted to a whitelist of specific IP addresses to prevent unauthorized use.
Remediation
Immediately disable the Gii extension in production environments by removing it from the application configuration. In the main configuration file (typically config/web.php), remove or comment out the Gii module entry:
// Remove or comment out this section in production:
/*
'modules' => [
'gii' => [
'class' => 'yii\gii\Module',
],
],
*/If Gii must remain enabled for staging or development purposes, restrict access to specific IP addresses only:
'modules' => [
'gii' => [
'class' => 'yii\gii\Module',
'allowedIPs' => ['127.0.0.1', '::1', '192.168.1.*'],
],
],Verify that the extension is inaccessible by attempting to access /gii or /index.php?r=gii from an unauthorized IP address. The request should return a 403 Forbidden or 404 Not Found response.
References
Related Vulnerabilities
MediaWiki Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2015-2935)
phpMyAdmin Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-6606)
Opencart Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2011-3763)
Adobe Experience Manager SSRF via MS token verify servlet
GraphQL Array-based Query Batching Allowed: Potential Batching Attack Vulnerability