WordPress timthumb. php remote file storage vulnerability analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201131463
Type myhack58
Reporter 佚名
Modified 2011-08-05T00:00:00


Source:http://xuser. org/read. php? 1 8

作者 :xuser@fsafe

Today on Twitter, see the About wordpress appeared vulnerability, then hastened to open the relevant page of the analysis of specific causes found to be timthumb. php remote storage file when the validation is insufficient and the resulting vulnerability. Probably the analysis process is as follows:

The file for the submission to the src variable submission and verification after storage to the server

$src = get_request ('src', ");

Use parse_url ($src)the src url-divided, and then to verify

global $allowedSites;

// work out file details

$filename = 'external_' . md5 ($src);

$local_filepath = DIRECTORY_CACHE . '/' . $filename;

// only do this stuff the file doesn't already exist

if (! file_exists ($local_filepath)) {

if (strpos (via strtolower ($src), 'http://') !== false || strpos (via strtolower ($src), 'https://') !== false) {

if (! validate_url ($src)) {

display_error ('invalid url');


$url_info = parse_url ($src);

if (count (explode ('.', $url_info['path'])) > 2) {

display_error ('source filename invalid');


if (($url_info['host'] == 'www.youtube.com' || $url_info['host'] == 'youtube.com') && preg_match ('/v=([^&]+)/i', $url_info['query'], $matches)) {

$v = $matches[1];

$src = 'http://img.youtube.com/vi/' . $v . '/0.jpg';

$url_info['host'] = 'img.youtube.com'; //if the source is youtube, then modify the previously stored host


$isAllowedSite = false;

// check allowed sites (if required)

if (ALLOW_EXTERNAL) { //ALLOW_EXTERNAL default to false

$isAllowedSite = true;

} else {

foreach ($allowedSites as $site) {

if (strpos (via strtolower ($url_info['host']), $site) !== false) //$url_info['host'])to find whether there$site

$isAllowedSite = true; //when true will continue to the next step of the storage




Where the$allowedSites array in the file header is defined as follows

$allowedSites = array (





Through a series of validation if$isAllowedSite if true will start storing this file on the server

if ($isAllowedSite) {

if (function_exists ('curl_init')) {

global $fh;

$fh = fopen ($local_filepath, 'w');

$ch = curl_init ($src);


curl_setopt ($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/2 0 0 4 1 1 0 7 Firefox/1.0');

curl_setopt ($ch, CURLOPT_URL, $src);


curl_setopt ($ch, will be, 0);


curl_setopt ($ch, CURLOPT_FILE, $fh);

curl_setopt ($ch, CURLOPT_WRITEFUNCTION, 'curl_write');

// error so die

if (curl_exec ($ch) === FALSE) {

unlink ($local_filepath);

touch ($local_filepath);

display_error ('error reading file' . $src . 'from remote host:' . curl_error ($ch));

[1] [2] next