Vigil@nce - WordPress TimThumb: code execution via WebShot
July 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use the WebShot feature of WordPress
plugins/themes using TimThumb, in order to execute code.
Impacted products: WordPress Plugins
Severity: 2/4
Creation date: 25/06/2014
DESCRIPTION OF THE VULNERABILITY
The TimThumb script can be installed by plugins/themes installed
on WordPress:
– Mimbo Pro theme
– WordThumb
– WordPress Gallery Plugin
– IGIT Posts Slider Widget
– Themify theme
– etc.
However, the timthumb.php script (or its derivatives) directly
insert the parameter of the WebShot (enabled with WEBSHOT_ENABLED)
feature in a shell command.
An attacker can therefore use the WebShot feature of WordPress
plugins/themes using TimThumb, in order to execute code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/WordPress-TimThumb-code-execution-via-WebShot-14933