News
News & events
Vulnerability report |ThinkPHP Remote Code Execution Vulnerability
2017-08-16


Vulnerability description:

Vulnerability description is a fast, compatible and simple light weight domestic PHP development framework that addresses most of the needs of application development.

The prerequisite for the use of the vulnerability is: enabled cache function, and the cache name is known or easy to guess; / runtime /directory of the file can be accessed through the Web; cache content control,can bring PHP code. An attacker writes malicious code to the cache file, exploits the vulnerability, causes remote code execution, gets control of the site, and causes data leak age.

Vulnerability discovered time
2017-08-18

CVE Reference(s)
None

The highest severity level
High risk

The affected system: 
ThinkPHP 3, ThinkPHP 5




Solution:

1. By default, Thinkphp does not open the cache, it is recommended to check whether to open, if you do not need to use the cache function, you can temporarily turn off the function to avoid the risk.
2.Add the cache file name prefix.