CVE-2022-38352

Vulnerability

Description

ThinkPHP v6.0.13 is vulnerable to insecure deserialization in the component League\Flysystem\Cached\Storage\Psr6Cache. The flaw arises when user-controlled serialized data is unserialized, allowing an attacker to control object properties and trigger a gadget chain [1][2].

Exploitation

An attacker can exploit this by crafting a serialized payload that leverages PHP object injection. The exploit chain uses classes from the think\log\driver\Socket, think\log\Channel, and think\App namespaces to eventually call the Php::display method, which can execute arbitrary PHP code [2]. No authentication is required if the application deserializes untrusted input.

Impact

Successful exploitation allows remote code execution in the context of the web server, potentially leading to complete compromise of the application and server. Attackers can execute system commands, read/write files, and perform other malicious actions [1][2].

Mitigation

Users should upgrade to a patched version of ThinkPHP. The vulnerability was reported publicly, and the vendor has likely addressed it in subsequent releases; refer to the official GitHub repository for updates [3]. As of publication, no official patch version is specified in the references.