Issue
I Have a spring boot app running on AWS. From time to time I see a log that pops out saying and mentioning ThinkPHP?
java.lang.IllegalArgumentException: Invalid character found in the request target [/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21].
The valid characters are defined in RFC 7230 and RFC 3986.
at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:491) ~[tomcat-embed-core-9.0.36.jar!/:9.0.36]
And below:
org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String ";"
at org.springframework.security.web.firewall.StrictHttpFirewall.rejectedBlacklistedUrls(StrictHttpFirewall.java:369) ~[spring-security-web-5.3.3.RELEASE.jar!/:5.3.3.RELEASE]
Is this a reason for concern or what's happening? There's generally no traffic happening at all - no requests incoming to the server, yet this pops out.
Solution
ThinkPHP is a web application development framework which has had various vulnerabilities over the years.
Your application is the target of spray and pray vulnerability scanners. You may find web server or application log entries with requests such as the following:
GET /index.php?s=/Index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1
As to whether you should be worried or not: it's really a question of what you are running and how well you are keeping up to date with your specific security requirements. Automated scanners are unlikely to find vulnerabilities for software you don't run.
Answered By - ShellingWeb
Answer Checked By - Gilberto Lyons (JavaFixing Admin)