Remote code execution vulnerability

[deenrookie]

Hi, this is Tencent Xcheck team. Our code safety check tool Xcheck has found several unserialize vulnerabilities in this project（v4, v5, v6）. It leads to remote code execution. Here are the details.

v6

1. app/admin/controller/api/Update.php line: 46 $this->rules = unserialize($this->request->post('rules', 'a:0:{}', '')); line: 47 $this->ignore = unserialize($this->request->post('ignore', 'a:0:{}', ''));

v6 v5 v4

2. app/wechat/controller/api/Push.php line: 102 $this->receive = $this->toLower(unserialize($this->request->post('receive', '', null)));

Prevent from abusing of this vulnerability, we don't provide proof of concept. We hope to repair it as soon as possible.

From Xcheck Team

[zoujingli]

ThinkAdmin V6 接口的序列化数据全部改成了 JSON 更新方式： composer update 更新 vendor 中的 think-library php think xadmin:install admin 更新 admin 模块 php think xadmin:install wechat 更新 wechat 模块