cbcvebase.
CVE-2014-4663
published 2014-07-15

CVE-2014-4663: TimThumb 2.8.13 and WordThumb 1.07, when Webshot (aka Webshots) is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in…

PriorityP275medium6.8CVSS 2.0
AVNACMAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
9.75%
94.9th percentile
TimThumb 2.8.13 and WordThumb 1.07, when Webshot (aka Webshots) is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in the src parameter.

Affected

2 ranges
VendorProductVersion rangeFixed in
binarymoontimthumb
binarymoonwordthumb

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://<target>/wp-content/themes/<theme>/path/to/timthumb.php?webshot=1&src=http://<host>/$()<command>
urlhttp://loncatlab.local/wp-content/themes/parallax/themify/img.php?webshot=1&src=http://loncatlab.local/$(touch$IFS/tmp/longcat)
path/wp-content/themes/parallax/themify/img.php
path/themify/img.php
filenametimthumb.php
command$(touch$IFS/tmp/longcat)
path/usr/local/bin/CutyCapt
path/usr/bin/xvfb-run
  • Detect HTTP GET requests to timthumb.php or img.php containing both 'webshot=1' and shell metacharacters '$(' or ')' in the 'src' parameter, indicating command injection attempts.
  • Flag use of $IFS as a space-bypass technique in the src parameter of webshot requests, as attackers use it to circumvent the space character restriction in the filtered character set.
  • Monitor web server processes (www-data) spawning unexpected child processes such as CutyCapt or xvfb-run, which are required for the WebShot feature to execute the injected command.
  • Alert on HTTP requests to paths matching /themify/img.php or any timthumb.php with query string parameters 'webshot=1' combined with a 'src' value containing '$(' sequences.
  • ·The WebShot feature is DISABLED by default; exploitation requires WEBSHOT_ENABLED to be explicitly set to true in the configuration, significantly limiting the attack surface.
  • ·Exploitation additionally requires CutyCapt and XVFB to be installed on the server at their expected paths; absence of either binary causes the exploit to fail before command execution.
  • ·The vulnerable code path is shared between TimThumb 2.8.13 and WordThumb 1.07, and is also shipped inside numerous WordPress themes and plugins (e.g., Themify themes, Wordpress Gallery Plugin, IGIT Posts Slider Widget), so detection scope must cover all paths where timthumb.php or img.php may reside.

CVSS provenance

nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.