CVE-2014-4663

EXPLOITED

TimThumb 2.8.13-WordThumb 1.07 - RCE

Title source: llm

Exploitation Summary

CVE-2014-4663 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including @u0x.

AI-analyzed exploit summary This exploit demonstrates a command injection vulnerability in TimThumb 2.8.13 and WordThumb 1.07 via the WebShot feature. The vulnerability arises from insufficient input sanitization in the 'src' parameter, allowing arbitrary command execution through shell metacharacters.

Description

TimThumb 2.8.13 and WordThumb 1.07, when Webshot (aka Webshots) is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in the src parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED

by @u0x · textwebappsphp

https://www.exploit-db.com/exploits/33851

View Code ZIP pw:eip

This exploit demonstrates a command injection vulnerability in TimThumb 2.8.13 and WordThumb 1.07 via the WebShot feature. The vulnerability arises from insufficient input sanitization in the 'src' parameter, allowing arbitrary command execution through shell metacharacters.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: TimThumb 2.8.13, WordThumb 1.07

No auth needed

Prerequisites: WebShot feature enabled · CutyCapt and XVFB installed on the target system

MITRE ATT&CK