We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

phpThumb Command-Injection Vulnerability

  • Jay Gilmore Reply #1, 13 years, 6 months ago
    It has recently come to our attention that phpThumb (all versions) contains an unpatched vulnerability.
    The application is prone to a command-injection vulnerability because it fails to adequately sanitize user-supplied input to the ’fltr[]’ parameter in the ’phpThumb.php’ script.

    Attackers can exploit this issue to execute arbitrary commands in the context of the webserver.

    Note that successful exploitation requires ’ImageMagick’ to be installed.

    phpThumb() 1.7.9 is affected; other versions may also be vulnerable.

    If you are using phpThumb on any of your sites either as part of a plugin or standalone, you should use the following fix to secure your site:
    http://modxcms.com/forums/index.php/topic,54874.msg316279.html#msg316279

    Note: This vulnerability does not affect the phpThumb that is included in the MODx Revolution distribution.
      Author of zero books. Formerly of many strange things. Pairs well with meats. Conversations are magical experiences. He's dangerous around code but a markup magician. BlogTwitterLinkedInGitHub

    This discussion is closed to further replies. Keep calm and carry on.