khashnan / timthumb

Automatically exported from code.google.com/p/timthumb
0 stars 0 forks source link

Security error out of doc root with local directory #236

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?

1.- Our main wordpress site is published from a path which internally is a 
linux symlink... (.../html_svn) which points to a local dir (.../html_321a).

2.- Our WP site is defined to use a special uploads dir:
"wp-content/uploads_myblog"

3.- We have a patched version of WP that shares files with separate confs. Has 
never affected any plugins or libs, including timthumb so far.

This themes and numerous other including themes using older version of timthumb 
work fine.

What is the expected output? What do you see instead?
No image output.

By debugging:
doc root logs ok: (.../html_svn)
Image path logs ok. (.../html_svn/wp-content/uploads_myblog/myimage.jpg)

But we then get a log with a security error stating image is out or root dir.

What version of the product are you using? On what operating system?
2.0 on Debian Linux

After some investigation we traced the error to be at:
   "if(strpos($real, $realDocRoot) === 0)" not being true even if they should

We've done some debugging with this result:

$test1 = $this->docRoot;
$test2 = realpath($this->docRoot);
$test3 = realpath($this->docRoot . '/' . $src);

//returns:
$test1:  //thisDocRoot:       "/home/webs/wordpress/html_svn"
$test2:  //with-realpath:     "/home/webs/wordpress/html_321_a"
$test3:  //with-realpath+src: 
"/home/webs/wordpress/uploads/uploads_myblog/2011/05/image.jpg"

Please note different docroot on 1 and 2
Please note missing "html_XXXX" and uncorrect "/uploads/" dir chained before 
correct "uploads_myblog" on test3.

Hope it helps.

Original issue reported on code.google.com by lui...@gmail.com on 17 Aug 2011 at 9:34

GoogleCodeExporter commented 8 years ago
what is your php version ?

Original comment by neopheus on 18 Aug 2011 at 10:26

GoogleCodeExporter commented 8 years ago
PHP 5.3.3-7+squeeze3

Original comment by lui...@gmail.com on 18 Aug 2011 at 12:19

GoogleCodeExporter commented 8 years ago
Attacked by this plugin in wordpress. 

1.1  El siguiente software ha dado entrada al ataque:

- TimThumb

Really pissed off

Original comment by mjsv...@gmail.com on 29 Nov 2011 at 10:30

GoogleCodeExporter commented 8 years ago

Original comment by BinaryMoon on 4 Dec 2012 at 9:32