Title: TimThumb WebShot DoS
Author: Larry W. Cashdollar
Date: 10/13/2014
I recently was reading about the timthumb webshot command injection vulnerability from July/2014 http://cxsecurity.com/issue/WLB-2014060134.
I realized if ALLOW_ALL_EXTERNAL_SITES and WEBSHOT_ENABLED were both set to true:
if(! defined('ALLOW_ALL_EXTERNAL_SITES') ) define ('ALLOW_ALL_EXTERNAL_SITES', true);
if(! defined('WEBSHOT_ENABLED') ) define ('WEBSHOT_ENABLED', true);
Which is not the default setting you could use TimThumb to DoS a site in a similar way to the wordpress XMLRPC
ping back attack. https://blogs.akamai.com/2014/03/anatomy-of-wordpress-xml-rpc-pingback-attacks.html
The request looks like:
192.168.0.33 - - [13/Oct/2014:16:10:07] "GET / HTTP/1.1" 200 3564 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18" Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 XF:
It does use its own UA my browser is:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/600.1.17 (KHTML, like Gecko) Version/7.1 Safari/537.85.10
as the User-Agent string is set here:
if(! defined('WEBSHOT_USER_AGENT') ) define ('WEBSHOT_USER_AGENT', "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18");
I'd be curious to know how many authors might have enabled both these features since TimThumb is still widely in use despite it being EOL.
http://www.binarymoon.co.uk/2014/09/timthumb-end-life/