Remote Code Execution

[GoogleCodeExporter]

On the Full Disclosure mailing list a remote code execution in TimThumb has 
been reported:
http://seclists.org/fulldisclosure/2014/Jun/117

It affects the latest version 2.8.13. This sounds like a very severe issue.

Original issue reported on code.google.com by [email protected] on 25 Jun 2014 at 9:56

[GoogleCodeExporter]

I can confirm that this issue is present on a number of sites, including those 
using the older WordThumb.php script (before it was merged into TimThumb).
WebShots are disabled by default, but a number of WordPress themes (as 
mentioned in the above FD mailing list link) have enabled the feature.

I strongly advise disabling the WebShot feature until a fix is deployed.

The command line built on lines 967 and 969 is the problem area.
https://code.google.com/p/timthumb/source/browse/trunk/timthumb.php#967

A good place to start is with replacing the double quotes around the parameters 
in that string with single quotes, which should prevent the shell doing any 
further expansions.

Original comment by [email protected] on 25 Jun 2014 at 1:47

[GoogleCodeExporter]

Hi - looks like this is only an issue if:

1) webshots is enabled
2) you have CutyCapt and XVFB installed on your server

as such the threat is limited. However it's still best to make sure you disable 
webshots until the flaw is fixed.

To do that make sure the following code is in TimThumb:

define (‘WEBSHOT_ENABLED’, false);

Original comment by BinaryMoon on 26 Jun 2014 at 9:28

• Changed state: Accepted