Possible vulnerability "HelloThinkPHP21"?

[justenh]

This morning I received a notification from our error reporting service, Flare. It appears that someone tried to access our app in a way that triggered an Exception within the AuthShopify middleware. Details below, including a screenshot.

I'm not sure if this is anything, but the fact that it threw the exception seems like a red-flag. Any insight you could provide would be greatly appreciated!

ErrorException Array to string conversion

Request [GET] https://myapp.com/index.php/?function=call_user_func_array&s=%2FIndex%2F%5Cthink%5Capp%2Finvokefunction&vars%5B0%5D=md5&vars%5B1%5D%5B0%5D=HelloThinkPHP21

vendor/osiset/laravel-shopify/src/ShopifyApp/Http/Middleware/AuthShopify

[gnikyt]

Nothing to worry about here I dont believe. The query data is used to calculate an HMAC, its not "ran", just checked.

[justenh]

@osiset Thanks for confirming.

[justenh]

@osiset Thanks again for your previous response. I'd like to resurface this issue. The app in question has had new activity that I believe is related to this exception being logged. However, I would like to avoid posting the details publicly until it's been discussed. Is it possible to connect with you via Slack or another channel? Your help would be greatly appreciated as we attempt to determine the severity of this particular scenario.

[Kyon147]

Hi @justenh - is this still an issue? Just cleaning up some stale issues.

[justenh]

@Kyon147 The original issue is still occurring. I'm unsure if it was part of a larger security issue that we worked through, but believe it could be. Thanks for updating.

[Kyon147]

AuthShopfy is the older package's authentication, I'd advise upgrading to the latest version.