ThinkPHP Remote Code Execution Vulnerability

A remote code execution vulnerability exists in ThinkPHP versions prior to 3.2.4, including version 5.0.23. This vulnerability is also present in Open Source BMS version 1.1.1. The issue arises from a PHP injection vulnerability that allows attackers to execute arbitrary commands on the server via a crafted HTTP request. Exploitation involves invoking a PHP function that executes system commands, which can lead to unauthorized command execution on the server.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where the vulnerable ThinkPHP application is running.

Reproduction

To reproduce this vulnerability, send a GET request to 'public//?s=index/\think\app/invokefunction' with the 'function' parameter set to 'call_user_func_array'. The 'vars[0]' parameter should be set to 'system', and 'vars[1][]' should contain the command to be executed. This can be done using tools like cURL or Burp Suite.

Remediation

Users are advised to upgrade ThinkPHP to version 3.2.4 or later. For Open Source BMS users, upgrading to a version that does not use the vulnerable ThinkPHP framework is recommended.