<![CDATA[ phpThumb Command-Injection Vulnerability

<![CDATA[ phpThumb Command-Injection Vulnerability - My Forums]]> https://forums.modx.com/thread/?thread=265 <![CDATA[phpThumb Command-Injection Vulnerability]]> https://forums.modx.com/thread/265/phpthumb-command-injection-vulnerability#dis-post-1671

The application is prone to a command-injection vulnerability because it fails to adequately sanitize user-supplied input to the ’fltr[]’ parameter in the ’phpThumb.php’ script.

Attackers can exploit this issue to execute arbitrary commands in the context of the webserver.

Note that successful exploitation requires ’ImageMagick’ to be installed.

phpThumb() 1.7.9 is affected; other versions may also be vulnerable.

If you are using phpThumb on any of your sites either as part of a plugin or standalone, you should use the following fix to secure your site:
http://modxcms.com/forums/index.php/topic,54874.msg316279.html#msg316279

Note: This vulnerability does not affect the phpThumb that is included in the MODx Revolution distribution.
]]> smashingred Oct 05, 2010, 11:01 AM https://forums.modx.com/thread/265/phpthumb-command-injection-vulnerability#dis-post-1671