The read function in file thinkphp\library\think\template\driver\File.php in ThinkPHP 5.0.24 contains a remote code execution vulnerability.
The vulnerability is classified as CWE-98 (PHP Remote File Inclusion) and indicates improper neutralization of include/require directives in PHP. The read function responsible for loading template files does not properly validate supplied input data, allowing an attacker to inject or specify a malicious file to be included and executed by the PHP interpreter. The attack requires no privileges or prior authentication.
An attacker can remotely execute arbitrary PHP code on the server, which in practice means complete takeover of the application and potentially the entire server, including access to sensitive data, modification of resources, and violation of system availability.
Patches available from the manufacturer should be applied according to the references. Until the fix is implemented, it is recommended to restrict access to the application at the firewall level and monitor suspicious HTTP requests.
ThinkPHP version 5.0.24
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HThinkphp
APPThinkphp5.0.24
Related vulnerabilities
ThinkPHP 5.0.23 — zdalne wykonanie kodu przez parametr routingu (RCE)
RCE w ThinkPHP 3 — wykonanie kodu przez komponent index.php
RCE w ThinkPHP 5.1 przez funkcję routecheck
ThinkPHP: RCE poprzez deserializację w Index.php (CVE-2024-48112)
Krytyczna podatność deserialization RCE w ThinkPHP v6.1.3–v8.0.4