Intrusion PreventionThinkPHP.Controller.Parameter.Remote.Code.Execution
Description
This indicates an attack attempt to exploit a Remote Code Execution Vulnerability in ThinkPHP.
The vulnerability is a result of the application's failure to properly sanitize user request. As a result, a remote attacker can send a crafted HTTP request to execute arbitrary code on a vulnerable server.
Outbreak Alert
A remote code execution vulnerability exists within multiple subsystems of ThinkPHP 5.0.x and 5.1.x. The FortiGuard Labs continue seeing high exploitation attempts of these old vulnerabilities of more than 50,000 IPS device detections per day. There are multiple actors abusing this flaw to install malware such as Mirai like botnet, Lucifer, Cryptocurrency miners.
Affected Products
v5.x below v5.0.23,v5.1.31
Impact
System Compromise: Remote attackers can gain control of vulnerable systems.
Recommended Actions
Apply the most recent upgrade or patch from the vendor:
https://blog.thinkphp.cn/869075
Telemetry
Coverage
| IPS (Regular DB) | |
| IPS (Extended DB) |
Version Updates
| Date | Version | Detail |
|---|---|---|
| 2021-08-17 | 18.141 | Sig Added |
| 2020-08-12 | 15.904 | Sig Added |
| 2020-08-04 | 15.899 | Sig Added |
| 2019-03-29 | 14.583 | Sig Added |
| 2019-02-28 | 14.562 | Sig Added |
| 2019-01-29 | 14.536 | Severity:medium:critical |
| 2019-01-11 | 14.522 | Default_action:pass:drop |
| 2018-12-28 | 13.515 |
References
https://www.exploit-db.com/exploits/45978| ID | 47291 |
| Created | Dec 28, 2018 |
| Updated | Aug 16, 2021 |
| Outbreak Alert | ThinkPHP RCE |
| Threat Signal | View Report |
| Risk |
|
| CVE ID | CVE-2019-9082 CVE-2018-20062 |
| Known Exploited | Yes |
| Exploit Prediction Score | 97.47% |
| Default Action | drop |
| Active | |
| Affected OS | All |
| Affected App | PHP_app |