Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 27 Jun 2014 12:10:42 -0400 (EDT)
From: cve-assign@...re.org
To: hanno@...eck.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: timthumb remote code execution

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> http://seclists.org/fulldisclosure/2014/Jun/117
> https://code.google.com/p/timthumb/issues/detail?id=485

> The command line built on lines 967 and 969 is the problem area.
> https://code.google.com/p/timthumb/source/browse/trunk/timthumb.php#967

> The original project WordThumb 1.07 also vulnerable ... using the
> older WordThumb.php script

> Developed for use in the WordPress theme Mimbo Pro

> several projects that shipped with "timthumb.php", such as,

> Wordpress Gallery Plugin
> https://wordpress.org/plugins/wordpress-gallery-plugin/
> IGIT Posts Slider Widget
> http://wordpress.org/plugins/igit-posts-slider-widget/

> only vulnerable if the WebShot (aka WebShots) feature is enabled
> (default is disabled).

Use CVE-2014-4663.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTrZb/AAoJEKllVAevmvmsjDAIAKvNZhHNrmquxcY9SmBuu4mE
PqYb23RBbjqXSBbzA8guw28WStkxG7atW7fsPA185LyaIn4PH92n4ZHyHphxlGnT
iaZpcQFVbOtnmPdnf3JB64PJ9jviOmtfUyC9GnxlfLlbaPxTqgVnW9JZ2BybGKno
YK3orCfmrjm5ma5BWsYjfWkf5YFYiWvNuz5xHgVqjGwisTREJ44SjVyoefWhHCRX
zDBu2IoKBYJliZfwopM24aUyxE+C+sgLuxX6BRBPLRKd/kwh09Wsg/YJt+Jsc7Ah
GHxm/tkmQZGLXpX3EEJNP5GJc/i7ePATnLAkwoadzP/nox5xSAQWhdTe/atC0aE=
=afLD
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.