ThinkPHP Remote Code Execution Vulnerability in Template File Read Function

A remote code execution vulnerability has been identified in ThinkPHP version 5.0.24. The issue arises in the template file driver, specifically within the read function of File.php. The vulnerability allows attackers to execute arbitrary PHP code by exploiting the view() function's file inclusion mechanism. By uploading a malicious file, such as an image containing PHP code, and manipulating the template path, an attacker can achieve remote code execution.

Impact

Exploitation of this vulnerability allows for arbitrary file inclusion, leading to remote code execution on the server.

Reproduction

To reproduce this vulnerability, upload a malicious image file (e.g., xxx.jpg) containing PHP code into the uploads/20210510/ directory. Then, create or modify the Index.php file in the app/index/controller/ directory to include a payload that checks for the existence of the uploaded file and includes it using the view() function. Access the corresponding endpoint through a web browser to execute the PHP code embedded in the image file.

Remediation

Users are advised to update to a version of ThinkPHP that has addressed this vulnerability. Additionally, strict path validation should be implemented in the view() function to block directory traversal characters and restrict template paths to legitimate directories.