ThinkCMF Privilege Escalation Vulnerability in ThinkPHP 5.0 and Its Mitigation

The author discovered that a newly built ThinkCMF blog, which uses the ThinkPHP 5.0 framework, was vulnerable to a privilege‑escalation attack likely caused by automated get‑shell scans. The vulnerability resides in library/think/app.php, where the module, controller, and method are separated by '/' without proper filtering of the controller name.

Because the controller parameter is not validated, an attacker can craft a URL to invoke any PHP function. For example, using a virtual host http://cmf.com, the following URL prints the output of phpinfo():

http://cmf.com/index.php?s=portal/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1

By replacing phpinfo with other functions such as file_put_contents, an attacker can create webshells or other malicious files.

The official ThinkPHP fix for version 5.0 adds a regular‑expression check to the controller retrieval code in the think\App class:

if (!preg_match('/^[A-Za-z](\w|\.)*$/', $controller)) {
    throw new HttpException(404, 'controller not exists:' . $controller);
}

The author used ThinkCMF version 5.0.180901 . The latest release, 5.0.190111 , updates ThinkPHP to 5.0.24 , which includes the security patch and eliminates the privilege‑escalation vulnerability.

For the full original article, see the provided link.