Class: WPScan::Model::Timthumb

Inherits:

InterestingFinding

• Object
• CMSScanner::Model::InterestingFinding
• InterestingFinding
• WPScan::Model::Timthumb

Includes:

Vulnerable

Defined in:

app/models/timthumb.rb

Overview

Timthumb

Instance Attribute Summary

• #version_detection_opts ⇒ Object readonly

  Returns the value of attribute version_detection_opts.

Instance Method Summary

• #default_allowed_domains ⇒ Array<String>

  The default allowed domains (between the 2.0 and 2.8.13).

• #initialize(url, opts = {}) ⇒ Timthumb constructor

  A new instance of Timthumb.

• #rce_132_vuln ⇒ Vulnerability

  The RCE in the <= 1.32.

• #rce_webshot_vuln ⇒ Vulnerability

  The RCE due to the WebShot in the > 1.35 (or >= 2.0) and <= 2.8.13.

• #version(opts = {}) ⇒ Model::Version, false
• #vulnerabilities ⇒ Array<Vulnerability>
• #webshot_enabled? ⇒ Boolean

Methods included from Vulnerable

#vulnerable?

Methods included from References

#references_urls, #wpvulndb_ids, #wpvulndb_url, #wpvulndb_urls

Constructor Details

#initialize(url, opts = {}) ⇒ Timthumb

Returns a new instance of Timthumb.

Parameters:

• url (String)
• opts (Hash) (defaults to: {})

Options Hash (opts):

• :mode (Symbol) —

  The mode to use to detect the version

# File 'app/models/timthumb.rb', line 14

def initialize(url, opts = {})
  super(url, opts)

  @version_detection_opts = opts[:version_detection] || {}
end

Instance Attribute Details

#version_detection_opts ⇒ Object (readonly)

Returns the value of attribute version_detection_opts.

# File 'app/models/timthumb.rb', line 9

def version_detection_opts
  @version_detection_opts
end

Instance Method Details

#default_allowed_domains ⇒ Array<String>

Returns The default allowed domains (between the 2.0 and 2.8.13).

Returns:

• (Array<String>) —

  The default allowed domains (between the 2.0 and 2.8.13)

# File 'app/models/timthumb.rb', line 70

def default_allowed_domains
  %w[flickr.com picasa.com img.youtube.com upload.wikimedia.org]
end

#rce_132_vuln ⇒ Vulnerability

Returns The RCE in the <= 1.32.

Returns:

• (Vulnerability) —

  The RCE in the <= 1.32

# File 'app/models/timthumb.rb', line 40

def rce_132_vuln
  Vulnerability.new(
    'Timthumb <= 1.32 Remote Code Execution',
    references: { exploitdb: ['17602'] },
    type: 'RCE',
    fixed_in: '1.33'
  )
end

#rce_webshot_vuln ⇒ Vulnerability

Returns The RCE due to the WebShot in the > 1.35 (or >= 2.0) and <= 2.8.13.

Returns:

• (Vulnerability) —

  The RCE due to the WebShot in the > 1.35 (or >= 2.0) and <= 2.8.13

# File 'app/models/timthumb.rb', line 50

def rce_webshot_vuln
  Vulnerability.new(
    'Timthumb <= 2.8.13 WebShot Remote Code Execution',
    references: {
      url: ['http://seclists.org/fulldisclosure/2014/Jun/117', 'https://github.com/wpscanteam/wpscan/issues/519'],
      cve: '2014-4663'
    },
    type: 'RCE',
    fixed_in: '2.8.14'
  )
end

#version(opts = {}) ⇒ Model::Version, false

Parameters:

• opts (Hash) (defaults to: {})

Returns:

• (Model::Version, false)

# File 'app/models/timthumb.rb', line 23

def version(opts = {})
  @version = Finders::TimthumbVersion::Base.find(self, version_detection_opts.merge(opts)) if @version.nil?

  @version
end

#vulnerabilities ⇒ Array<Vulnerability>

Returns:

• (Array<Vulnerability>)

# File 'app/models/timthumb.rb', line 30

def vulnerabilities
  vulns = []

  vulns << rce_webshot_vuln if version == false || version > '1.35' && version < '2.8.14' && webshot_enabled?
  vulns << rce_132_vuln if version == false || version < '1.33'

  vulns
end

#webshot_enabled? ⇒ Boolean

Returns:

• (Boolean)

# File 'app/models/timthumb.rb', line 63

def webshot_enabled?
  res = Browser.get(url, params: { webshot: 1, src: "http://#{default_allowed_domains.sample}" })

  /WEBSHOT_ENABLED == true/.match?(res.body) ? false : true
end