CVE-2014-4663
published 2014-07-15CVE-2014-4663: TimThumb 2.8.13 and WordThumb 1.07, when Webshot (aka Webshots) is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in…
PriorityP275medium6.8CVSS 2.0
AVNACMAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
9.75%
94.9th percentile
TimThumb 2.8.13 and WordThumb 1.07, when Webshot (aka Webshots) is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in the src parameter.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| binarymoon | timthumb | — | — |
| binarymoon | wordthumb | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://<target>/wp-content/themes/<theme>/path/to/timthumb.php?webshot=1&src=http://<host>/$()<command>↗
urlhttp://loncatlab.local/wp-content/themes/parallax/themify/img.php?webshot=1&src=http://loncatlab.local/$(touch$IFS/tmp/longcat)↗
- →Detect HTTP GET requests to timthumb.php or img.php containing both 'webshot=1' and shell metacharacters '$(' or ')' in the 'src' parameter, indicating command injection attempts. ↗
- →Flag use of $IFS as a space-bypass technique in the src parameter of webshot requests, as attackers use it to circumvent the space character restriction in the filtered character set. ↗
- →Monitor web server processes (www-data) spawning unexpected child processes such as CutyCapt or xvfb-run, which are required for the WebShot feature to execute the injected command. ↗
- →Alert on HTTP requests to paths matching /themify/img.php or any timthumb.php with query string parameters 'webshot=1' combined with a 'src' value containing '$(' sequences. ↗
- ·The WebShot feature is DISABLED by default; exploitation requires WEBSHOT_ENABLED to be explicitly set to true in the configuration, significantly limiting the attack surface. ↗
- ·Exploitation additionally requires CutyCapt and XVFB to be installed on the server at their expected paths; absence of either binary causes the exploit to fail before command execution. ↗
- ·The vulnerable code path is shared between TimThumb 2.8.13 and WordThumb 1.07, and is also shipped inside numerous WordPress themes and plugins (e.g., Themify themes, Wordpress Gallery Plugin, IGIT Posts Slider Widget), so detection scope must cover all paths where timthumb.php or img.php may reside. ↗
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qmf7-fj73-rx79: TimThumb 2
ghsa_unreviewed·2022-05-17
CVE-2014-4663 [MEDIUM] CWE-94 GHSA-qmf7-fj73-rx79: TimThumb 2
TimThumb 2.8.13 and WordThumb 1.07, when Webshot (aka Webshots) is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in the src parameter.
VulnCheck
binarymoon timthumb Improper Control of Generation of Code ('Code Injection')
vulncheck·2014·CVSS 6.8
CVE-2014-4663 [MEDIUM] binarymoon timthumb Improper Control of Generation of Code ('Code Injection')
binarymoon timthumb Improper Control of Generation of Code ('Code Injection')
TimThumb 2.8.13 and WordThumb 1.07, when Webshot (aka Webshots) is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in the src parameter.
Affected: binarymoon timthumb
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/ajax-search-lite/ajax-search-lite-311-remote-code-execution
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/127192/TimThumb-2.8.13-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2014/Jul/4http://seclists.org/fulldisclosure/2014/Jun/117http://seclists.org/oss-sec/2014/q2/689http://secunia.com/advisories/59558http://www.exploit-db.com/exploits/33851https://code.google.com/p/timthumb/issues/detail?id=485https://code.google.com/p/timthumb/source/detail?r=219http://packetstormsecurity.com/files/127192/TimThumb-2.8.13-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2014/Jul/4http://seclists.org/fulldisclosure/2014/Jun/117http://seclists.org/oss-sec/2014/q2/689http://secunia.com/advisories/59558http://www.exploit-db.com/exploits/33851https://code.google.com/p/timthumb/issues/detail?id=485https://code.google.com/p/timthumb/source/detail?r=219
2014-07-15
Published
Exploited in the wild