ThinkPHP v5.0.22/5.1.29 Remote Code Execution Vulnerability
Description
ThinkPHP is a widely-used PHP development framework, particularly popular in China. Versions 5.0.22 and earlier, as well as versions 5.1.29 and earlier, contain a critical vulnerability in the controller name processing mechanism. The framework fails to properly validate and sanitize controller names, allowing attackers to invoke arbitrary framework methods through specially crafted HTTP requests. This flaw enables remote code execution without requiring authentication.
Remediation
Immediately upgrade ThinkPHP to version 5.0.23 or later for the 5.0.x branch, or version 5.1.30 or later for the 5.1.x branch. If immediate upgrading is not feasible, implement the following temporary mitigations:
1. Add input validation to filter controller names and reject requests containing suspicious patterns (e.g., method calls, special characters)
2. Configure web application firewall (WAF) rules to block requests with malicious payloads targeting this vulnerability
3. Review application logs for any suspicious controller invocation attempts
4. Restrict network access to the application to trusted IP addresses if possible
After upgrading, verify the installation and test application functionality to ensure compatibility. Review the official ThinkPHP security advisory for additional details and post-upgrade security hardening recommendations.