Yesterday (2012.04.09) thinkphp Framework was burst out of a PHP code arbitrary execution vulnerability, hackers only need to submit a special URL to execute malicious code on the site.
Thinkphp as a domestic use of the more extensive old PHP MVC framework, there are many start-ups or projects have used this framework. However, most developers and users do not notice the vulnerability of the vulnerabilities, warning: This vulnerability is a very serious problem, as long as the use of the thinkphp framework, you can directly execute arbitrary PHP code , Use the thinkphp framework of the webmaster quickly to their own website into the detection, and repair.
Repair method:
1, download the official release of the Patch:
http://code.google.com/p/thinkphp/source/detail?spec=svn2904&r=2838
2, or directly modify the source code:
/trunk/thinkphp/lib/core/dispatcher.class.php
$res = Preg_replace (' @ (w+) '. $depr. ' ([^ '. $depr. ' /]+) @e ', ' $var [' \1 ']= ' \2 '; ', implode ($DEPR, $paths));
Revision changed to
$res = Preg_replace (' @ (w+) '. $depr. ' ([^ '. $depr. ' /]+) @e ', ' $var [' \1 ']= ' \2 '; ', implode ($DEPR, $paths));
Change the double quotation mark in preg_replace second argument to single quotation mark to prevent PHP variable syntax from being parsed.
[2012-4-10] thinkphp framework exploded arbitrary code execution vulnerability