[Vulnerability Warning] ThinkPHP5 Remote Code Executes High Risk Vulnerability

2018-12-14 17:27:37
Dear user

On December 10, 2018, upon monitoring ThinkPHP, the Security Team of JD Cloud officially released a security update and disclosed a high risk security vulnerability through which the attacker may execute a remote command at low cost. The affected versions were 5.0 and 5.1.

[Vulnerability Details]

As the ThinkPHP frame does not applied strict detection to the controller name, the attacker can execute any malicious code at the server when the mandatory routing is not enabled.

[Risk Level]

Severe

[Influence Range]

ThinkPHP 5.0 Series < 5.0.23

ThinkPHP 5.1 Series < 5.1.31

[Repair suggestion]

Upgrade ThinkPHP to a security version

[Mitigation Suggestion]

If it is unable to update to the latest version now, please enable the mandatory routing and add corresponding undefined routing or add relevant codes by referring to commit.

[Reference Link]

https://blog.thinkphp.cn/869075

JD Cloud team

2018-12-14 17:27:37