phpThumb() fltr[] parameter command injection vulnerability
Description
phpThumb() is a widely-used PHP library that leverages the GD library to dynamically generate image thumbnails from various formats (JPEG, PNG, GIF, BMP). Versions 1.7.9 and earlier contain a critical command injection vulnerability in the fltr[] parameter. This flaw allows remote attackers to inject and execute arbitrary operating system commands on the server without authentication. During testing, Invicti successfully exploited this vulnerability by creating a file named cache/acunetix to demonstrate command execution capabilities.
Remediation
Take the following steps to remediate this vulnerability:
1. Upgrade phpThumb(): Immediately update to the latest stable version of phpThumb() from the official repository at http://phpthumb.sourceforge.net/. Versions after 1.7.9 address this command injection vulnerability.
2. Verify Installation: After upgrading, confirm the new version is active by checking the version number in the phpThumb configuration or source files.
3. Input Validation (If Upgrade Not Possible): If immediate upgrading is not feasible, implement strict input validation and sanitization for all user-supplied parameters, particularly the fltr[] parameter. Use allowlists to restrict acceptable filter values and reject any input containing shell metacharacters.
4. Web Application Firewall: Deploy or configure WAF rules to detect and block command injection attempts targeting phpThumb() endpoints as a temporary mitigation measure.
5. Review Logs: Examine web server and application logs for any suspicious activity or evidence of exploitation attempts.