Class: WPScan::Model::Timthumb

Inherits:
InterestingFinding show all
Includes:
Vulnerable
Defined in:
app/models/timthumb.rb

Overview

Timthumb

Instance Attribute Summary collapse

Instance Method Summary collapse

Methods included from Vulnerable

#vulnerable?

Methods included from References

#references_urls, #wpvulndb_ids, #wpvulndb_url, #wpvulndb_urls

Constructor Details

#initialize(url, opts = {}) ⇒ Timthumb

Returns a new instance of Timthumb.

Parameters:

  • url (String)
  • opts (Hash) (defaults to: {})

Options Hash (opts):

  • :mode (Symbol)

    The mode to use to detect the version



14
15
16
17
18
# File 'app/models/timthumb.rb', line 14

def initialize(url, opts = {})
  super(url, opts)

  @version_detection_opts = opts[:version_detection] || {}
end

Instance Attribute Details

#version_detection_optsObject (readonly)

Returns the value of attribute version_detection_opts.



9
10
11
# File 'app/models/timthumb.rb', line 9

def version_detection_opts
  @version_detection_opts
end

Instance Method Details

#default_allowed_domainsArray<String>

Returns The default allowed domains (between the 2.0 and 2.8.13).

Returns:

  • (Array<String>)

    The default allowed domains (between the 2.0 and 2.8.13)



70
71
72
# File 'app/models/timthumb.rb', line 70

def default_allowed_domains
  %w[flickr.com picasa.com img.youtube.com upload.wikimedia.org]
end

#rce_132_vulnVulnerability

Returns The RCE in the <= 1.32.

Returns:



40
41
42
43
44
45
46
47
# File 'app/models/timthumb.rb', line 40

def rce_132_vuln
  Vulnerability.new(
    'Timthumb <= 1.32 Remote Code Execution',
    references: { exploitdb: ['17602'] },
    type: 'RCE',
    fixed_in: '1.33'
  )
end

#rce_webshot_vulnVulnerability

Returns The RCE due to the WebShot in the > 1.35 (or >= 2.0) and <= 2.8.13.

Returns:

  • (Vulnerability)

    The RCE due to the WebShot in the > 1.35 (or >= 2.0) and <= 2.8.13



50
51
52
53
54
55
56
57
58
59
60
# File 'app/models/timthumb.rb', line 50

def rce_webshot_vuln
  Vulnerability.new(
    'Timthumb <= 2.8.13 WebShot Remote Code Execution',
    references: {
      url: ['http://seclists.org/fulldisclosure/2014/Jun/117', 'https://github.com/wpscanteam/wpscan/issues/519'],
      cve: '2014-4663'
    },
    type: 'RCE',
    fixed_in: '2.8.14'
  )
end

#version(opts = {}) ⇒ Model::Version, false

Parameters:

  • opts (Hash) (defaults to: {})

Returns:

  • (Model::Version, false)


23
24
25
26
27
# File 'app/models/timthumb.rb', line 23

def version(opts = {})
  @version = Finders::TimthumbVersion::Base.find(self, version_detection_opts.merge(opts)) if @version.nil?

  @version
end

#vulnerabilitiesArray<Vulnerability>

Returns:



30
31
32
33
34
35
36
37
# File 'app/models/timthumb.rb', line 30

def vulnerabilities
  vulns = []

  vulns << rce_webshot_vuln if version == false || version > '1.35' && version < '2.8.14' && webshot_enabled?
  vulns << rce_132_vuln if version == false || version < '1.33'

  vulns
end

#webshot_enabled?Boolean

Returns:

  • (Boolean)


63
64
65
66
67
# File 'app/models/timthumb.rb', line 63

def webshot_enabled?
  res = Browser.get(url, params: { webshot: 1, src: "http://#{default_allowed_domains.sample}" })

  /WEBSHOT_ENABLED == true/.match?(res.body) ? false : true
end