ThinkPHP Arbitrary File Read Vulnerability

An arbitrary file read vulnerability has been identified in ThinkPHP version 5.0.24. The issue arises in the fetch function of the Template.php file, where attackers can exploit the file inclusion mechanism by crafting specific file paths in template values. This manipulation allows for the execution of the file_get_contents function, enabling the reading of arbitrary files from the server.

Impact

Exploitation of this vulnerability allows for arbitrary file reading, which could lead to the exposure of sensitive information such as configuration files or application data.

Reproduction

To reproduce this vulnerability, upload a password list file to the Windows desktop or another directory. Then, create or modify the Index.php file in the app\index\controller\ directory to include a crafted file path that traverses directories and points to the desired file, such as ../../../../../../../../../password.txt. Access the index method of the Index controller through the application's public URL, which will trigger the file read and display the contents in the browser.

Remediation

Users are advised to update to a version of ThinkPHP that is not vulnerable. If an immediate update is not possible, implement strict path validation in the view() function or the template rendering entry to block directory traversal characters and restrict template paths to legitimate template directories.