CVE-2022-47945 Overview
CVE-2022-47945 is a Local File Inclusion (LFI) vulnerability in ThinkPHP Framework versions before 6.0.14 that allows unauthenticated remote attackers to execute arbitrary operating system commands. The vulnerability exists in the language pack feature and can be exploited through the lang parameter when the language switching functionality is enabled (lang_switch_on=true). Attackers can leverage this flaw to include arbitrary local files, such as pearcmd.php, leading to full remote code execution on the target server.
Critical Impact
Unauthenticated remote attackers can achieve complete system compromise through arbitrary file inclusion and subsequent command execution, potentially leading to data theft, malware deployment, and lateral movement within the network.
Affected Products
- ThinkPHP Framework versions before 6.0.14
- ThinkPHP applications with language pack feature enabled (lang_switch_on=true)
- Web applications built on vulnerable ThinkPHP versions
Discovery Timeline
- 2022-12-23 - CVE-2022-47945 published to NVD
- 2025-04-15 - Last updated in NVD database
Technical Details for CVE-2022-47945
Vulnerability Analysis
This Local File Inclusion vulnerability stems from insufficient input validation in ThinkPHP's multi-language detection middleware. When the language pack feature is enabled, the framework accepts user-controlled input through the lang parameter without proper sanitization, allowing path traversal sequences to include arbitrary files from the local filesystem.
The vulnerability is particularly severe because it can be chained with the inclusion of PHP scripts already present on the server, such as pearcmd.php (a component of the PEAR package manager commonly installed on PHP systems). By including this file with specially crafted parameters, attackers can write arbitrary PHP code to the webroot and subsequently execute operating system commands.
Root Cause
The root cause lies in the LoadLangPack middleware's handling of the language detection variable. The original implementation accepted user input from multiple sources (URL parameters, HTTP headers, cookies) and used it directly to construct file paths for language pack inclusion. The lack of proper validation allowed attackers to inject directory traversal sequences (e.g., ../) to escape the intended language directory and include arbitrary PHP files.
The security patch addressed this by implementing stricter input validation with a regular expression pattern /^([a-z\d\-]+)/i to sanitize the language parameter before processing, ensuring only alphanumeric characters and hyphens are accepted.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending a crafted HTTP request with a malicious lang parameter containing path traversal sequences. The attack flow typically involves:
- Identifying a ThinkPHP application with language switching enabled
- Crafting a request with a manipulated lang parameter pointing to an exploitable PHP file
- Leveraging included files like pearcmd.php to write malicious PHP code
- Executing arbitrary commands through the newly created backdoor
// Security patch in src/think/middleware/LoadLangPack.php
// Before (vulnerable): User input used directly
- $langSet = strtolower($request->get($this->config['detect_var']));
+ $langSet = $request->get($this->config['detect_var']);
// After (patched): Input sanitized with regex validation
+ if (preg_match('/^([a-z\d\-]+)/i', $langSet, $matches)) {
+ $langSet = strtolower($matches[1]);
+ if (isset($this->config['accept_language'][$langSet])) {
+ $langSet = $this->config['accept_language'][$langSet];
+ }
+ }
Source: GitHub Commit Details
Detection Methods for CVE-2022-47945
Indicators of Compromise
- HTTP requests containing path traversal sequences (../) in the lang parameter
- Requests attempting to access /pearcmd.php, /pear.php, or similar PEAR-related files
- Unusual file creation in web-accessible directories with PHP extensions
- Web server logs showing requests with encoded traversal patterns (%2e%2e%2f)
- Unexpected outbound connections from web server processes
Detection Strategies
- Deploy web application firewall (WAF) rules to detect and block path traversal patterns in the lang parameter
- Implement signature-based detection for requests containing pearcmd.php combined with traversal sequences
- Monitor for anomalous file system activity, particularly PHP file creation in webroot directories
- Configure intrusion detection systems (IDS) to alert on LFI attack patterns targeting ThinkPHP endpoints
Monitoring Recommendations
- Enable verbose logging for web applications to capture full request parameters
- Implement file integrity monitoring (FIM) on web server directories to detect unauthorized file modifications
- Set up alerts for PHP process spawning shell commands or making network connections
- Monitor for authentication failures or privilege escalation attempts following web requests
How to Mitigate CVE-2022-47945
Immediate Actions Required
- Upgrade ThinkPHP Framework to version 6.0.14 or later immediately
- If immediate upgrade is not possible, disable the language pack feature by setting lang_switch_on=false
- Review web server logs for evidence of exploitation attempts
- Audit systems for any indicators of compromise, including unauthorized files or processes
- Implement network segmentation to limit lateral movement if compromise is suspected
Patch Information
ThinkPHP has released version 6.0.14 which addresses this vulnerability by implementing proper input validation for the language detection parameter. The fix introduces regex-based sanitization that restricts the lang parameter to alphanumeric characters and hyphens only, preventing path traversal attacks.
For detailed patch information, see the GitHub Version Comparison and the GitHub Commit Details.
Workarounds
- Disable the language switching feature in ThinkPHP configuration (lang_switch_on=false) until patching is complete
- Implement WAF rules to block requests containing path traversal sequences in the lang parameter
- Remove or restrict access to pearcmd.php and other PEAR-related files if not required
- Apply web server configuration to deny access to sensitive PHP files outside the application scope
# Apache configuration to block pearcmd.php access
<FilesMatch "pearcmd\.php$">
Require all denied
</FilesMatch>
# Nginx configuration to block pearcmd.php access
location ~ /pearcmd\.php$ {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
