Title: phpThumb() v1.7.11 (dir & title) Cross-Site Scripting Vulnerability
Advisory ID: ZSL-2012-5088
Type: Remote
Impact: Cross-Site Scripting
Risk: (2/5)
Release Date: 16.05.2012

Summary

phpThumb() uses the GD library to create thumbnails from images (JPEG, PNG, GIF, BMP, etc) on the fly. The output size is configurable (can be larger or smaller than the source), and the source may be the entire image or only a portion of the original image.

Description

phpThumb is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the 'dir' and the 'title' parameter of the 'phpThumb.demo.random.php' and 'phpThumb.demo.showpic.php' scripts. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.

Vendor

SiliSoftware - http://www.silisoftware.com

Affected Version

1.7.11-201108081537

Tested On

Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.21
PHP 5.3.8
MySQL 5.5.20

Vendor Status

N/A

PoC

phpthumb_xss.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] http://cxsecurity.com/issue/WLB-2012050118
[2] http://packetstormsecurity.org/files/112797
[3] http://www.securityfocus.com/bid/53572
[4] http://www.1337day.com/exploits/18286
[5] http://xforce.iss.net/xforce/xfdb/75709
[6] http://www.osvdb.org/show/osvdb/82295
[7] http://www.osvdb.org/show/osvdb/82296
[8] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-2910

Changelog

[16.05.2012] - Initial release
[18.05.2012] - Added reference [2], [3] ana [4]
[20.05.2012] - Added reference [5]
[30.05.2012] - Added reference [6], [7] and [8]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk