The Hack on phpThumb:
(From
http://www.juniper.net/security/auto/vulnerabilities/vuln39605.html):
The application (phpThumb) is prone to a command-injection vulnerability because it fails to adequately sanitize user-supplied input to the ’fltr[]’ parameter in the ’phpThumb.php’ script. Attackers can exploit this issue to execute arbitrary commands in the context of the webserver.
Note that successful exploitation requires ’ImageMagick’ to be installed.
phpThumb() 1.7.9 is affected; other versions may also be vulnerable.
The Fix:
You can fix this by editing a single file:
phpThumb/phpthumb.functions.php (around line 443). On Evo sites, it’s usually installed in assets/snippets/phpThumb. You just need to add a couple filtering commands to the SafeExec function to filter its input before it sends it to the command line. Right after the function declaration, add lines that filter the $command input. I haven’t tested this against all possible valid phpThumb input arguments, but this does prevent a "contained" hack that I performed on my own site.
function SafeExec($command) {
// Strip off any commands after the first semi-colon
// and prepare the data to be sent to the command line.
// EVERETT @ www.fireproofsocks.com 9/26/2010
$command = preg_replace('/;.*$/','',$command); // <-- *NIX only
$command = escapeshellcmd($command);
NOTE: if you are hosting on a Windows server, you would need to edit the first of the $command lines to this:
$command = preg_replace('/&&.*$/','',$command);
You should also turn OFF the debug mode in your config file because it can display valuable information to a hacker:
Inside the
phpThumb/phpThumb.config.php file, make sure the following setting is set to
true (around line 196):
$PHPTHUMB_CONFIG['disable_debug'] = true;
I’m not going to post how to perform the exploit (you can PM me if you want a test case).