Vulnerability
ThinkPHP is an open-source framework for web application development. It is licenced under the Apache2 licence. Controller names are wrongly processed by the framework in ThinkPHP 5.0.22, causing the attacker to initiate any framework method, Because the root controllers are not subject to any specific filtering resulting in an RCE (Remote Code Execution) vulnerability.Threat actors are aggressively using ThinkPHP to infect a wide range of malware, primarily aimed at Internet of Things (IoT) devices.
Impact
In the ThinkPHP framework, a specifically designed value in the filter HTTP parameter can lead to arbitrary code execution.
Mitigation / Precaution
- We suggest that you update to version 5.0.23 / 5.1.31 or higher of ThinkPHP in order to fix this vulnerability.
- Directly apply the patch: In thinkphp 5.0, add the following code to line 554 of thinkphp/library/think/App.php, In thinkphp 5.1, line 63 of thinkphp/library/think/route/dispatch/Url.php.
if (!preg_match('/^[A-Za-z](\w|\.)*$/', $controller))
{
throw new HttpException(404, 'controller not exists:' . $controller);
}
Written by
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days
