CVE-2024-34467

CVE-2024-34467 describes a reflected Cross-Site Scripting (XSS) vulnerability in ThinkPHP 8.0.3. The issue originates in the think_exception.tpl template file, where function argument values are not properly filtered before being included in the error page output [1]. This allows an attacker to inject arbitrary JavaScript code via crafted input parameters.

Exploitation does not require authentication, as the vulnerable endpoint is accessible to any remote user. The attacker can craft a URL containing a malicious payload in the query string, which gets reflected in the debug error page when the application encounters an exception [1]. The provided PoC demonstrates a request like /?=1 which triggers the XSS. The vulnerability specifically affects the debug mode error handling; if debug mode is enabled, an attacker can execute scripts in the context of the victim's browser.

Successful exploitation can lead to theft of session cookies, even if the HttpOnly flag is set, as the debug page exposes cookie values in the error message [1]. An attacker could potentially perform actions on behalf of the victim, such as session hijacking or data theft. The impact is heightened when the application is in debug mode, which is common during development but may be inadvertently left enabled in production.

A fix has been implemented in commit 403358cd3e510e2fdab63f951930bdd093314eee, which addresses the encoding of the $key variable to prevent XSS [2]. Users are advised to update to a patched version or disable debug mode in production environments. The vulnerability is actively discussed and details are available in the GitHub issue [1]. It is important to note that the vulnerability affects the latest version (8.0.3) and potentially earlier versions as well [1].