CVE-2022-44289

A code logic error in the checkImg() method of ThinkPHP's File.php causes improper validation of uploaded files. In versions 5.1.41 and 5.0.24, the method is intended to restrict uploads to image file extensions but contains a flawed conditional that inadvertently permits files with extensions such as .php to pass validation [2]. The bug arises from a reversed boolean logic in the image type check, where files that are not valid images are incorrectly accepted.

An attacker can exploit this vulnerability by uploading a malicious PHP file through any controller that uses the file move() method, as demonstrated in the official documentation examples. No authentication is required if the upload endpoint is publicly accessible. The validation bypass occurs because the checkImg() function returns true for non-image files when it should return false, allowing the upload to proceed [2].

Successful exploitation grants the attacker the ability to execute arbitrary PHP code on the server by accessing the uploaded file directly. This can lead to full system compromise, including data theft, privilege escalation, and lateral movement within the network.

ThinkPHP has addressed this issue in subsequent releases. Users are strongly advised to upgrade to a patched version or implement a custom file validation filter as a workaround. The vulnerability is publicly documented and proof-of-concept code is available [1][2].