Open GoogleCodeExporter opened 8 years ago
I can confirm that this issue is present on a number of sites, including those
using the older WordThumb.php script (before it was merged into TimThumb).
WebShots are disabled by default, but a number of WordPress themes (as
mentioned in the above FD mailing list link) have enabled the feature.
I strongly advise disabling the WebShot feature until a fix is deployed.
The command line built on lines 967 and 969 is the problem area.
https://code.google.com/p/timthumb/source/browse/trunk/timthumb.php#967
A good place to start is with replacing the double quotes around the parameters
in that string with single quotes, which should prevent the shell doing any
further expansions.
Original comment by auchwer...@gmail.com
on 25 Jun 2014 at 1:47
Hi - looks like this is only an issue if:
1) webshots is enabled
2) you have CutyCapt and XVFB installed on your server
as such the threat is limited. However it's still best to make sure you disable
webshots until the flaw is fixed.
To do that make sure the following code is in TimThumb:
define (‘WEBSHOT_ENABLED’, false);
Original comment by BinaryMoon
on 26 Jun 2014 at 9:28
Original issue reported on code.google.com by
hanno@hboeck.de
on 25 Jun 2014 at 9:56