CVE-2021-44892

Vulnerability

A Remote Code Execution (RCE) vulnerability exists in ThinkPHP versions 3.x.x. The flaw is located in index.php and is triggered through the value[_filename] parameter. No specific configuration is required for the vulnerable code path to be reachable, as the parameter is processed in a default installation [1].

Exploitation

An attacker can exploit this vulnerability remotely without prior authentication. By crafting a malicious HTTP request that includes the value[_filename] parameter with arbitrary file content or a payload, the attacker can execute arbitrary commands on the server. The attack requires no user interaction or special network position beyond network access to the target [1].

Impact

Successful exploitation allows an attacker to execute arbitrary code on the server, potentially gaining full control over the affected system. This is a Critical severity vulnerability with a CVSS v3.1 score of 9.8, indicating a compromise of confidentiality, integrity, and availability [1]. The attacker can achieve remote code execution with full privileges [1].

Mitigation

As of the publication date (2022-02-10), no patch or fixed version has been released by the vendor for the affected ThinkPHP 3.x.x branch. The project has since moved to ThinkPHP 8.x, and version 3.x.x is considered end-of-life (EOL) [2]. Users are strongly advised to upgrade to a supported version of ThinkPHP (e.g., 6.x, 8.x) as no workaround is available [1].