TimThumb Cache Directory 'src' Parameter Arbitrary PHP File Upload

high Nessus Plugin ID 56735

Synopsis

The remote web server hosts a web application that allows an attacker to upload arbitrary PHP files.

Description

The version of TimThumb hosted on the remote web server allows an unauthenticated, remote attacker to upload arbitrary PHP files as specified by input to the 'src' parameter and retrieved from third- party sites to its cache directory. It's likely that these files can then be executed by requesting them by means of a specially crafted URL, which would result in arbitrary code execution subject to the privileges of the web server process.

Note that this could be by design or because of a vulnerability in the way TimThumb validates the third-party host. Regardless, it represents a security vulnerability as it could allow for arbitrary PHP code execution.

Solution

Upgrade to TimThumb version 2.0 or higher or refer to the advisories for software packages using TimThumb for upgrade instructions.

See Also

https://www.binarymoon.co.uk/2011/08/timthumb-2/

http://www.nessus.org/u?1c76d435

Plugin Details

Severity: High

ID: 56735

File Name: timthumb_cache_dir_arbitrary_upload.nasl

Version: 1.20

Type: remote

Family: CGI abuses

Published: 11/8/2011

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:wordpress:wordpress, cpe:/a:binarymoon:timthumb, cpe:/a:timthumb:timthumb

Required KB Items: www/PHP, installed_sw/WordPress, installed_sw/TimThumb

Exploit Ease: No exploit is required

Exploited by Nessus: true

Patch Publication Date: 7/29/2011

Vulnerability Publication Date: 8/2/2011

Exploitable With

Elliot (Wordpress Verve Meta Boxes 1.2.8 File Upload)

Reference Information

CVE: CVE-2011-4106

BID: 48963