CVE-2022-27442
📋 TL;DR
CVE-2022-27442 allows attackers to access ThinkPHP log directories in TPCMS v3.2, potentially exposing administrator credentials and other sensitive information. This affects all TPCMS v3.2 installations with default configurations.
💻 Affected Systems
- TPCMS
📦 What is this software?
Tpcms by Tpcms Project
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through credential theft leading to administrative access, data exfiltration, and potential ransomware deployment.
Likely Case
Unauthorized access to sensitive logs containing administrator credentials, session tokens, and system information.
If Mitigated
Limited information disclosure with no direct system access if proper authentication and access controls are implemented.
🎯 Exploit Status
Simple directory traversal or direct URL access to log files.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified
Vendor Advisory: https://gitee.com/happy_source/tpcms/issues/I3YNWY
Restart Required: No
Instructions:
1. Check vendor advisory for updates. 2. If no patch available, implement workarounds. 3. Consider upgrading to a supported version if available.
🔧 Temporary Workarounds
Restrict log directory access
allConfigure web server to deny access to ThinkPHP log directories
# Apache: Add to .htaccess
<Directory "/path/to/tpcms/runtime/logs/">
Order deny,allow
Deny from all
</Directory>
# Nginx: Add to server block
location ~ ^/runtime/logs/ {
deny all;
return 403;
}
Move logs outside web root
allConfigure TPCMS to store logs outside the web-accessible directory
# Edit TPCMS configuration to change log path
# Look for log configuration in config files and modify path
🧯 If You Can't Patch
- Implement strict network segmentation and firewall rules to limit access to TPCMS instances
- Enable detailed logging and monitoring for unauthorized access attempts to log directories
🔍 How to Verify
Check if Vulnerable:
Attempt to access http://[tpcms-url]/runtime/logs/ or similar log directory paths. If log files are accessible, the system is vulnerable.Check Version:
Check TPCMS version in admin panel or configuration files. Look for version 3.2 in source code or documentation.Verify Fix Applied:
After implementing workarounds, verify that accessing log directories returns 403 Forbidden or similar access denied error.📡 Detection & Monitoring
Log Indicators:
- Multiple 200/304 responses to log directory paths
- Unusual access patterns to /runtime/logs/ directories
- Failed authentication attempts followed by log directory access
Network Indicators:
- HTTP GET requests to paths containing 'runtime/logs'
- Unusual traffic patterns to TPCMS log directories
SIEM Query:
source="web_access_logs" AND (uri_path="/runtime/logs/" OR uri_path LIKE "%/runtime/logs/%") AND status_code=200