logo
DATABASE RESOURCES PRICING ABOUT US

phpThumb Command-Injection Vulnerability

Description

It has recently come to our attention that phpThumb (all versions) contains an unpatched vulnerability.<br /> <blockquote>The application is prone to a command-injection vulnerability because it fails to adequately sanitize user-supplied input to the ’fltr[]’ parameter in the ’phpThumb.php’ script. <br /> <br /> Attackers can exploit this issue to execute arbitrary commands in the context of the webserver.<br /> <br /> Note that successful exploitation requires ’ImageMagick’ to be installed.<br /> <br /> phpThumb() 1.7.9 is affected; other versions may also be vulnerable.</blockquote> <br /> If you are using phpThumb on any of your sites either as part of a plugin or standalone, you should use the following fix to secure your site: <br /> <a href="http://modxcms.com/forums/index.php/topic,54874.msg316279.html#msg316279" target="_blank" rel="nofollow" onclick="_gaq.push(['_link','http://modxcms.com/forums/index.php/topic,54874.msg316279.html#msg316279" target="_blank" rel="nofollow']); return false;">http://modxcms.com/forums/index.php/topic,54874.msg316279.html#msg316279</a><br /> <br /> Note: This vulnerability does not affect the phpThumb that is included in the MODx Revolution distribution.<br />