CVE-2019-7580

Vulnerability

ThinkCMF version 5.0.190111 fails to properly filter single quote characters in user input, specifically through the alias parameter in the portal/admin_category/addpost.html endpoint. This allows an authenticated backend user to inject arbitrary PHP code into the data/conf/route.php file. The mishandling of a single quote enables injection of PHP array syntax and executable code, as described in the advisory [1].

Exploitation

An attacker must have a valid backend user session (authenticated with administrator privileges) and make a crafted HTTP POST request to /portal/admin_category/addpost.html. The exploit involves setting the alias parameter with a payload that includes a single quote to break out of the intended string context, followed by PHP code such as phpinfo(). The PoC request shown in the reference includes parameters like parent_id=0&name=111&alias=1'=>array("",""),phpinfo(),'2 [1].

Impact

Successful exploitation allows the attacker to execute arbitrary PHP code on the server. This can lead to complete compromise of the web application, including data exfiltration, file manipulation, privilege escalation, and further server-side attacks. The injected code is written into data/conf/route.php, which is included by the application, giving the attacker code execution in the context of the web server [1].

Mitigation

As of the publication date (2019-02-07), no official patch has been released for ThinkCMF 5.0.190111. The advisory [1] confirms the vulnerability but does not provide a fixed version. Users should upgrade to a patched version if available, or apply input validation and sanitization to the alias parameter (specifically filtering single quotes) as a workaround. There is no indication that this CVE is listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.