TimThumb WebShot remote code execution
Description
This vulnerability only affects TimThumb installations where the WebShot feature is enabled. WebShot is disabled by default.
TimThumb is a widely-used PHP script for image manipulation (cropping, zooming, and resizing) that is bundled with many WordPress themes and plugins. A remote code execution vulnerability exists in the WebShot feature of TimThumb version 2.8.13 and earlier. This flaw allows attackers to execute arbitrary PHP code on the server by exploiting insufficient input validation when processing external image URLs through the WebShot functionality.
Remediation
Take the following steps to remediate this vulnerability:
1. Immediate Action: If the WebShot feature is enabled, disable it immediately by setting the following configuration in your timthumb-config.php or timthumb.php file:
define('WEBSHOT_ENABLED', false);2. Upgrade TimThumb: Update to the latest version of TimThumb from the official repository. Replace all instances of timthumb.php in your WordPress installation, including those bundled with themes and plugins.
3. Verify Installation: Search your entire WordPress directory for all timthumb.php files using the command:
find /path/to/wordpress -name timthumb.phpEnsure each instance is updated or has WebShot disabled.
4. Review Logs: Check web server access logs for suspicious requests to timthumb.php to determine if exploitation has occurred.