The default configuration of phpThumb before 1.7.12 has a false value for the disable_debug option, which allows remote attackers to conduct Server-Side Request Forgery (SSRF) attacks via the src parameter.
https://github.com/JamesHeinrich/phpThumb/blob/master/docs/phpthumb.changelog.txt