CVE-2021-36564

Vulnerability

ThinkPHP v6.0.8 suffers from a deserialization vulnerability in the component vendor\league\flysystem-cached-adapter\src\Storage\Adapter.php. The vulnerability is triggered when user-supplied data is unserialized without proper sanitization. Specifically, if an attacker can control the input to unserialize() (e.g., via a $_POST['data'] parameter), they can inject a crafted PHP object. The affected version is ThinkPHP 6.0.8 [1][2].

Exploitation

An attacker needs network access to the application and must be able to send a POST request containing a serialized payload. No authentication is required if the vulnerable entry point is publicly exposed. The exploit leverages the __destruct magic method in the League\Flysystem\Cached\Storage\Adapter class, which calls save(), eventually reaching file_put_contents() in vendor\league\flysystem\src\Adapter\Local.php. The attacker controls the file name and content via the $file and $complete properties respectively, allowing arbitrary file write [2].

Impact

Successful exploitation enables an attacker to write arbitrary files to the server's filesystem. This can lead to remote code execution if a PHP file is written (e.g., a web shell), resulting in full compromise of the application and underlying server. The impact includes information disclosure, data tampering, and potential lateral movement within the network [1][2].

Mitigation

As of the publication date (2021-12-06), no official patch has been released by ThinkPHP. The vendor was informed via the GitHub issue [2]. Mitigation involves avoiding the use of unserialize() on untrusted input, implementing input validation, and considering use of alternative caching libraries. Upgrading to a later version of ThinkPHP (if available) is recommended [1].