Comments (2)
GoogleCodeExporter
commented on June 28, 2024
I can confirm that this issue is present on a number of sites, including those
using the older WordThumb.php script (before it was merged into TimThumb).
WebShots are disabled by default, but a number of WordPress themes (as
mentioned in the above FD mailing list link) have enabled the feature.
I strongly advise disabling the WebShot feature until a fix is deployed.
The command line built on lines 967 and 969 is the problem area.
https://code.google.com/p/timthumb/source/browse/trunk/timthumb.php#967
A good place to start is with replacing the double quotes around the parameters
in that string with single quotes, which should prevent the shell doing any
further expansions.
Original comment by [email protected] on 25 Jun 2014 at 1:47
from timthumb.
GoogleCodeExporter
commented on June 28, 2024
Hi - looks like this is only an issue if:
1) webshots is enabled
2) you have CutyCapt and XVFB installed on your server
as such the threat is limited. However it's still best to make sure you disable
webshots until the flaw is fixed.
To do that make sure the following code is in TimThumb:
define (‘WEBSHOT_ENABLED’, false);
Original comment by BinaryMoon on 26 Jun 2014 at 9:28
- Changed state: Accepted
from timthumb.
Related Issues (20)
- Very bad png quality HOT 4
- error HOT 1
- Patch for /trunk/timthumb.php
- cache files after error
- timthumb.php?src=http://flickr.com.curcubeu.eu/login.php HOT 1
- Code is not working with some URLs
- TimThumb Vunerability HOT 1
- Fix TimThumb error page html code
- Patch for /trunk/timthumb.php
- Please patch render on Windows 8.1 on with PHP 5.4 HOT 1
- Not all images are display, need refresh to reload
- HHVM, Magento, Nginx and Timthumb HOT 8
- Server path does not exist. Ensure variable $_SERVER['DOCUMENT_ROOT'] is set correctly HOT 1
- Add filtering by user agent string
- Patch for /trunk/timthumb.php
- Not images displaying
- themes avec clé
- Patch for /trunk/timthumb.php
- /trunk/timthumb.php
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from timthumb.