_frontendCSRF cookie appears to be vulnerable to SQL injection attacks

Question

I got this testing issue from my testing company that _frontendCSRF cookie can cause sql injection. They provide it for login page. My application is build over yii2. Here is the details information.

The _frontendCSRF cookie appears to be vulnerable to SQL injection attacks. The payload ')and%20benchmark(20000000%2csha1(1))--%20 was submitted in the _frontendCSRF cookie. The application took 11004 milliseconds to respond to the request, compared with 1681 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

Cookie: PHPFRONTSESSID=62ca0ebed7ad7d7c5e15a8c267f77551; current_shop=2; site_url=http%3A%2F%2F52.6.251.159%2F%7Edemoecom%2Fbuyold%2Ffrontend%2Fweb; blog_url=http%3A%2F%2F52.6.251.159%2F%7Edemoecom%2Fbuyold%2Fblog; is_buyold_login=0; _language=ba7c0570c541af8890cb020f80553258ee37070af083c555286d73a4165020c5a%3A2%3A%7Bi%3A0%3Bs%3A9%3A%22_language%22%3Bi%3A1%3Bs%3A2%3A%22au%22%3B%7D; _frontendCSRF=ae5e122353d27ce1288157fc2b42e65dacf96d5fc4c5d0d7f883c19215138691a%3A2%3A%7Bi%3A0%3Bs%3A13%3A%22_frontendCSRF%22%3Bi%3A1%3Bs%3A32%3A%22S8P_oYh_fNd-eODMV4NMrUqkebCWEKsL%22%3B%7D')and%20benchmark(20000000%2csha1(1))--%20; __atuvc=6%7C31; __atuvs=57a03a16ead33d80005
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 153

Right now my project is in beta mode so it is in http. What would be the solution for it? Can i use _frontendCSRF in session or https will solve it ? Any help would be appreciated.

Answer 1

This sounds pretty alarming but looking at the actual code from the current Yii 2.0.9 framework I don't see any SQL being used in the validation process: yii2/web/Request.php

Now I'm not a a security expert... you might want to

1. get a more technically detailed report from your testing company so the test can be reproduced on a clean install of yii2
2. file a security issue: https://github.com/yiisoft/yii2/issues