CVE-2011-4106
EXPLOITED IN THE WILDTimThumb < 2.0 - Remote Code Execution via Domain Whitelist Bypass
Title source: llmExploitation Summary
CVE-2011-4106 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 2 public exploits from researchers including MaXe, Ben Schmidt.
AI-analyzed exploit summary This exploit leverages a vulnerability in WordPress TimThumb plugin (versions up to 1.32) to achieve remote code execution by tricking the script into caching a malicious PHP file disguised as a GIF image. The PoC includes a crafted GIF header followed by PHP code that executes arbitrary commands via the 'cmd' GET parameter.
Description
TimThumb (timthumb.php) before 2.0 does not validate the entire source with the domain white list, which allows remote attackers to upload and execute arbitrary code via a URL containing a white-listed domain in the src parameter, then accessing it via a direct request to the file in the cache directory, as exploited in the wild in August 2011.
Exploits (2)
This exploit leverages a vulnerability in WordPress TimThumb plugin (versions up to 1.32) to achieve remote code execution by tricking the script into caching a malicious PHP file disguised as a GIF image. The PoC includes a crafted GIF header followed by PHP code that executes arbitrary commands via the 'cmd' GET parameter.
This exploit demonstrates a remote code execution (RCE) vulnerability in multiple WordPress plugins due to the reuse of a vulnerable version of timthumb.php. The attack involves hosting a malicious GIF file with embedded PHP code and providing it via the 'src' GET parameter to upload and execute arbitrary code on the webserver.