On 23/08/12 18:45, Holger Motzkau wrote:
Hej!
Our installation and our plugins are all up to date.
The problem is the haybase-plugin which we installed to use the blue
Dutch WLM skin. It contains a file called timthumb.php with the
following code:
// external domains that are allowed to be displayed on your website
$allowedSites = array (
'flickr.com',
'picasa.com',
'blogger.com',
'wordpress.com',
'img.youtube.com',
'upload.wikimedia.org',
);
[...]
foreach ($allowedSites as $site) {
if (strpos (strtolower ($url_info['host']), $site) !== false) {
$isAllowedSite = true;
}
}
Seems all websites will need an update.
The above code can be rewritten as:
if (preg_match( '/(^|\.)(' . str_replace( ".", "\.",
implode("|",
$allowedSites ) ) . ")$/", $url_info['host'] ) { $isAllowedSite =
true;}
And the check there is stupid. It just checks if an
external url
contains
flickr.com, not if the url is actually
flickr.com. Using
this, manipulated gif images were downloaded from
http://flickr.com.aseana.com.my/xc0de.php and ended up in the cache
folder for scaled images where it later was executed as php files.
Still, even hardening the above check, the cache folder should not be
publicly accessible or executable as php.
Malicious code could be present at those domains, too.