Vulnerability Name:

CVE-2011-4106 (CCN-68981)

Assigned:2011-08-03
Published:2011-08-03
Updated:2013-10-28
Summary:TimThumb (timthumb.php) before 2.0 does not validate the entire source with the domain white list, which allows remote attackers to upload and execute arbitrary code via a URL containing a white-listed domain in the src parameter, then accessing it via a direct request to the file in the cache directory, as exploited in the wild in August 2011.
CVSS v3 Severity:4.6 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.3 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
6.0 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P)
4.7 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-20
Vulnerability Consequences:Gain Access
References:Source: CONFIRM
Type: Exploit, Patch
http://code.google.com/p/timthumb/issues/detail?id=212

Source: MITRE
Type: CNA
CVE-2011-4106

Source: CCN
Type: DukaPress Web site
DukaPress 2.3.3 – TimThumb Security Update

Source: MISC
Type: UNKNOWN
http://markmaunder.com/2011/08/01/zero-day-vulnerability-in-many-wordpress-themes/

Source: MISC
Type: Patch
http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/

Source: CCN
Type: RAXO Web site
RAXO All-mode PRO J1.5 v1.5.0 - Changelog

Source: CCN
Type: SA45416
TimThumb Domain Name Security Bypass and Insecure Cache Handling Vulnerabilities

Source: CCN
Type: SA45603
Joomla! RAXO All-mode PRO Module TimThumb Arbitrary File Upload Vulnerability

Source: CCN
Type: SA45867
WordPress DukaPress Shopping Cart Plugin TimThumb Arbitrary File Upload Vulnerability

Source: CCN
Type: SA46015
WordPress IGIT Posts Slider Widget Plugin TimThumb Arbitrary File Upload Vulnerability

Source: CCN
Type: SA46018
WordPress IGIT Related Post With Thumb Plugin TimThumb Arbitrary File Upload

Source: CCN
Type: SA46079
WordPress A. Gallery Plugin "src" Arbitrary File Upload

Source: CCN
Type: TimThumb SVN Repository
TimThumb

Source: CCN
Type: WordPress Web site
IGIT Related Post With Thumb plugin for WordPress

Source: CONFIRM
Type: UNKNOWN
http://www.binarymoon.co.uk/2011/08/timthumb-2/

Source: EXPLOIT-DB
Type: Exploit
17602

Source: EXPLOIT-DB
Type: Exploit
17872

Source: MLIST
Type: UNKNOWN
[oss-security] 20111103 Re: CVE request: wordpress plugin timthumb before 2.0 remote code execution

Source: CCN
Type: OSVDB ID: 74326
TimThumb src Parameter Domain Name Verification Bypass

Source: CCN
Type: BID-48963
WordPress Timthumb Plugin 'timthumb' Cache Directory Arbitrary File Upload Vulnerability

Source: XF
Type: UNKNOWN
timthumb-cache-file-upload(68981)

Source: EXPLOIT-DB
Type: EXPLOIT
EDB-ID: 17602

Vulnerable Configuration:Configuration 1:
  • cpe:/a:binarymoon:timthumb:*:*:*:*:*:*:*:* (Version <= 1.99)

    • * Denotes that component is vulnerable
    BACK
    binarymoon timthumb *