Exposure of Resource to Wrong Sphere
All versions of ThinkPHP Framework are configured without the PATHINFO parameter. This allows attackers to access all system environment parameters from index.php.
CWE-668 - Exposure of Resource to Wrong Sphere
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.