1 Vulnerability Overview
Recently, ThinkPHP posted a blog, announcing the release of an update that addresses a high-risk remote code execution (RCE) vulnerability. This vulnerability stems from the framework’s insufficient checks on controller names, which, in case forced routing is not enabled, would allow arbitrary code execution or even access to the server.
ThinkPHP is a free framework distributed under the Apache2 open-source license. Since inception, it has, based on the design principle of simplicity and usability, excelled in performance achieved through simple code while maintaining an ease of use (EOU). Despite a number of original functions and features, the ThinkPHP community has worked hard to keep optimizing and improving the framework in aspects of EOU, scalability, and performance. Not surprisingly, this product has been well received and widely adopted in enterprise-class development projects. Considering the potentially extensive impact of this vulnerability, users are advised to stay wary and take necessary action to protect themselves.
2 Scope of Impact
- ThinkPHP < 5.1.31
- ThinkPHP < 5.0.23
- ThinkPHP 5.1.31
- ThinkPHP 5.0.23
3 Vulnerability Check
3.1 Version Check
Use a text editor to open thinkphp\base.php and then you can find the version number of the current framework from the section of code on constant definitions.
3.2 PoC Check
Include the following payload in the URL to check whether the RCE risk exists. If a phpinfo page is displayed in response to the request for the crafted URL, the framework is exposed to the RCE risk.
Following is a screenshot of the PoC check result.
4 Vulnerability Protection
4.1 Version Upgrade
Users who used Composer to install ThinkPHP can run the following command to upgrade the current version:
4.2 Patch Code
Those who cannot upgrade the version can manually fix the vulnerability by modifying the source code as follows:
Locate the module method in the think\App class and append the following code snippet to the controller code:
Locate the parseUrl method in the think\route\dispatch\Url class and append the following code snippet to the parsed controller code:
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
NSFOCUS IB is a wholly owned subsidiary of NSFOCUS, an enterprise application and network security provider, with operations in the Americas, Europe, the Middle East, Southeast Asia and Japan. NSFOCUS IB has a proven track record of combatting the increasingly complex cyber threat landscape through the construction and implementation of multi-layered defense systems. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide unified, multi-layer protection from advanced cyber threats.
For more information about NSFOCUS, please visit:
NSFOCUS, NSFOCUS IB, and NSFOCUS, INC. are trademarks or registered trademarks of NSFOCUS, Inc. All other names and trademarks are property of their respective firms.