Updated to version 2.8.14

Fixes vulnerability http://seclists.org/fulldisclosure/2014/Jun/117
GabrielGil · Jul 17, 2014 · 564c000 · 564c000
1 parent eeb5fbe
commit 564c000
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 6 deletions.
diff --git a/composer.json b/composer.json
@@ -10,4 +10,4 @@
     "autoload": {
         "classmap": ["./"]
     }
-}
+}
diff --git a/timthumb.php b/timthumb.php
@@ -20,7 +20,7 @@
  * loaded by timthumb. This will save you having to re-edit these variables
  * everytime you download a new version
 */
-define ('VERSION', '2.8.13');																		// Version of this script 
+define ('VERSION', '2.8.14');																		// Version of this script 
 //Load a config file if it exists. Otherwise, use the values below
 if( file_exists(dirname(__FILE__) . '/timthumb-config.php'))	require_once('timthumb-config.php');
 if(! defined('DEBUG_ON') )					define ('DEBUG_ON', false);								// Enable debug logging to web server error log (STDERR)
@@ -959,9 +959,12 @@ protected function serveWebshot(){
 		if(! preg_match('/^https?:\/\/[a-zA-Z0-9\.\-]+/i', $url)){
 			return $this->error("Invalid URL supplied.");
 		}
-		$url = preg_replace('/[^A-Za-z0-9\-\.\_\~:\/\?\#\[\]\@\!\$\&\'\(\)\*\+\,\;\=]+/', '', $url); //RFC 3986
-		//Very important we don't allow injection of shell commands here. URL is between quotes and we are only allowing through chars allowed by a the RFC 
-		// which AFAIKT can't be used for shell injection. 
+		$url = preg_replace('/[^A-Za-z0-9\-\.\_:\/\?\&\+\;\=]+/', '', $url); //RFC 3986 plus ()$ chars to prevent exploit below. Plus the following are also removed: @*!~#[]',
+		// 2014 update by Mark Maunder: This exploit: http://cxsecurity.com/issue/WLB-2014060134
+		// uses the $(command) shell execution syntax to execute arbitrary shell commands as the web server user. 
+		// So we're now filtering out the characters: '$', '(' and ')' in the above regex to avoid this. 
+		// We are also filtering out chars rarely used in URLs but legal accoring to the URL RFC which might be exploitable. These include: @*!~#[]',
+		// We're doing this because we're passing this URL to the shell and need to make very sure it's not going to execute arbitrary commands. 
 		if(WEBSHOT_XVFB_RUNNING){
 			putenv('DISPLAY=:100.0');
 			$command = "$cuty $proxy --max-wait=$timeout --user-agent=\"$ua\" --javascript=$jsOn --java=$javaOn --plugins=$pluginsOn --js-can-open-windows=off --url=\"$url\" --out-format=$format --out=$tempfile";
@@ -1261,4 +1264,4 @@ protected function set404(){
 	protected function is404(){
 		return $this->is404;
 	}
-}
+}