ThinkPHP framework arbitrary code execution vulnerability alerts-a vulnerability alert-the black bar safety net

ID MYHACK58:62201233619
Type myhack58
Reporter 佚名
Modified 2012-04-10T00:00:00


ThinkPHP is a domestic use of a very wide range of established PHP MVC framework. Looks like the country there are a lot of start-up companies or projects with this framework.

Recently the official has released a security patch, the official statement is: the URL is a security vulnerability will cause the user on the client fake URL, execute illegal code.

But looks like most of the developers and users did not notice this vulnerability in the dangers, should be amazing, not to mention how many people go to upgrade. Then I conducted the analysis, found that this issue really is a very serious problem, as long as the use thinkphp framework, you can directly execute arbitrary php code. Hereby posting warning you.

Let's analyze the official patch:


1 2 5 - $res = preg_replace('@(w+)'.$ depr.' ([^'.$ depr.'\/]+)@ e', '$var[\'\\1\']="\\2";', implode($depr,$paths));

1 2 5 + $res = preg_replace('@(w+)'.$ depr.' ([^'.$ depr.'\/]+)@ e', '$var[\'\\1\']=\'\\2\';', implode($depr,$paths));

This code is the pathinfo as a restful type url parsing, the main role is to put pathinfo in the data analysis and merge into the$_GET array.

However with regular parse the pathinfo of the time, mainly this sentence:

$res = preg_replace('@(w+)'.$ depr.' ([^'.$ depr.'\/]+)@ e', '$var[\'\\1\']="\\2";', implode($depr,$paths));

Here the obvious use of the preg_replace the/e parameter, which is a very, very dangerous if the parameter with this parameter, preg_replace second parameter will be treated as php code execution, the authors use this approach in the second parameter, the use of PHP code to an array of dynamic assignment.


And here again is the double quotes, and double quotes in php variable syntax and can be parsed to perform. Therefore, as long as the attacker for any one to use thinkphp framework to write the application, use the following way to access, to execute arbitrary PHP code:

index. php/module/action/param1/${@print(THINK_VERSION)}

Since the double quotes to perform here in order to insurance purposes, not to the more harmful of the code, The use of this or need some tips.

In short this problem is very serious, find it, find that is currently not patched the vulnerability of the website or many. And ThinkPHP framework feature is actually very good identification, interested persons directly write a scanner for scanning is also not necessarily impossible.

In order not to cause more loss, specifically post want to cause you using thinkphp do to develop the students attention. Early upgrade official security patches

Author: GaRY