TimThumb is a very simple and flexible PHP script used to resize images. The WebShot is a hidden feature on TimThumb that allows it to take screenshot of websites, instead of resizing images.
The vulnerability which is discovered by Pichaya Morimoto in the TimThumb WordPress plugin version 2.8.13. According to Morimoto, the vulnerability resides in its “Webshot” feature that, when enabled, allows attackers to remotely execute commands on a website without requiring authentication. which means the attacker can upload or inject malware, upload or execute php code/shells or can take the website down.
Security Researcher Daniel Cid explained in a blog post that how the Vulnerability can be exploited,
With a simple command, an attacker can create, remove and modify any files on the server. Daniel explained with an example:
https://vulnerablesite.com/wp-content/plugins/pluginX/timthumb.php?webshot=1&src=https://vulnerablesite.com/$(rm$IFS/tmp/a.txt)https://vulnerablesite.com/wp-content/plugins/pluginX/timthumb.php??webshot=1&src=https://vulnerablesite.com/$(touch$IFS/tmp/a.txt)
Timthumb comes with the webshot option disabled by default, so only those wordpress users who have enabled WebShot feature are vulnerable to this attack.
If you are using the plugin on your website, you should disable the option to prevent the misuse.
Open your TimThumb file inside the theme or plugin and search for “WEBSHOT_ENABLED” and set it to false.
i.e. define (‘WEBSHOT_ENABLED’, false)
More details about the vulnerability can be seen at Cxsecurity
