Miggo Logo

CVE-2022-47945: ThinkPHP Framework vulnerable to remote code execution

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.99472%
Published
12/23/2022
Updated
8/17/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
topthink/frameworkcomposer< 6.0.146.0.14

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper path sanitization in the language detection mechanism. The pre-patch version of detect() in LoadLangPack.php took user input from GET/headers/cookies via $request->get() and used it to set $langSet without validating against path traversal sequences. The attacker-controlled $langSet was then used to build a file path for inclusion via Lang::load(), enabling arbitrary file inclusion. The commit patched this by 1) removing forced lowercase conversion (which could bypass some checks) and 2) adding proper regex validation of the language string before path construction.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*inkP*P *r*m*work ***or* *.*.** *llows lo**l *il* in*lusion vi* t** l*n* p*r*m*t*r w**n t** l*n*u*** p**k ***tur* is *n**l** (`l*n*_swit**_on=tru*`). *n un*ut**nti**t** *n* r*mot* *tt**k*r **n *xploit t*is to *x**ut* *r*itr*ry op*r*tin* syst*m *omm*

Reasoning

T** vuln*r**ility st*ms *rom improp*r p*t* s*nitiz*tion in t** l*n*u*** **t**tion m****nism. T** pr*-p*t** v*rsion o* `**t**t()` in `Lo**L*n*P**k.p*p` took us*r input *rom `**T/*****rs/*ooki*s` vi* `$r*qu*st->**t()` *n* us** it to s*t `$l*n*S*t` wit*