CVE-2020-17952

Vulnerability

A remote code execution vulnerability exists in /library/think/App.php of Twothink v2.0. The routeCheck() function uses Config::get('var_pathinfo') to process the pathinfo parameter, which defaults to 's'. This allows an attacker to control the s URL parameter to invoke arbitrary classes and methods. The vulnerability is due to insufficient filtering of the s parameter, enabling the invocation of \think\App::invokeFunction with attacker-controlled arguments. Affected version: Twothink v2.0 (based on ThinkPHP 5.0.2) [1][2][3].

Exploitation

An attacker can send a crafted HTTP GET request to the Twothink application. The proof-of-concept URL is: http://localhost/twothink-master/public/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1. This exploits the pathinfo handling to call \think\App::invokeFunction with call_user_func_array, allowing arbitrary function calls. No authentication is required; the attacker only needs network access to the application [3].

Impact

Successful exploitation allows remote code execution (RCE) with the privileges of the web server. The attacker can execute arbitrary PHP functions, such as phpinfo() for information disclosure, or potentially execute system commands via functions like system() or exec(). This leads to full compromise of the application and server [2][3].

Mitigation

As of the available references, no official patch has been released. The Twothink project appears to be unmaintained (last commit in 2017). Users should consider migrating to a supported CMS or applying input validation to the s parameter. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog [1][2].