CoCalc -- timthumb.rb

GitHub Repository: wpscanteam/wpscan
Path: blob/master/app/models/timthumb.rb
⁴⁸⁵ views
1
# frozen_string_literal: true
2

3
module WPScan
4
  module Model
5
    # Timthumb
6
    class Timthumb < InterestingFinding
7
      include Vulnerable
8

9
      attr_reader :version_detection_opts
10

11
      # @param [ String ] url
12
      # @param [ Hash ] opts
13
      # @option opts [ Symbol ] :mode The mode to use to detect the version
14
      def initialize(url, opts = {})
15
        super(url, opts)
16

17
        @version_detection_opts = opts[:version_detection] || {}
18
      end
19

20
      # @param [ Hash ] opts
21
      #
22
      # @return [ Model::Version, false ]
23
      def version(opts = {})
24
        @version = Finders::TimthumbVersion::Base.find(self, version_detection_opts.merge(opts)) if @version.nil?
25

26
        @version
27
      end
28

29
      # @return [ Array<Vulnerability> ]
30
      def vulnerabilities
31
        vulns = []
32

33
        vulns << rce_webshot_vuln if version == false || (version > '1.35' && version < '2.8.14' && webshot_enabled?)
34
        vulns << rce_132_vuln if version == false || version < '1.33'
35

36
        vulns
37
      end
38

39
      # @return [ Vulnerability ] The RCE in the <= 1.32
40
      def rce_132_vuln
41
        Vulnerability.new(
42
          'Timthumb <= 1.32 Remote Code Execution',
43
          references: { exploitdb: ['17602'] },
44
          type: 'RCE',
45
          fixed_in: '1.33'
46
        )
47
      end
48

49
      # @return [ Vulnerability ] The RCE due to the WebShot in the > 1.35 (or >= 2.0) and <= 2.8.13
50
      def rce_webshot_vuln
51
        Vulnerability.new(
52
          'Timthumb <= 2.8.13 WebShot Remote Code Execution',
53
          references: {
54
            url: ['http://seclists.org/fulldisclosure/2014/Jun/117', 'https://github.com/wpscanteam/wpscan/issues/519'],
55
            cve: '2014-4663'
56
          },
57
          type: 'RCE',
58
          fixed_in: '2.8.14'
59
        )
60
      end
61

62
      # @return [ Boolean ]
63
      def webshot_enabled?
64
        res = Browser.get(url, params: { webshot: 1, src: "http://#{default_allowed_domains.sample}" })
65

66
        !/WEBSHOT_ENABLED == true/.match?(res.body)
67
      end
68

69
      # @return [ Array<String> ] The default allowed domains (between the 2.0 and 2.8.13)
70
      def default_allowed_domains
71
        %w[flickr.com picasa.com img.youtube.com upload.wikimedia.org]
72
      end
73
    end
74
  end
75
end
76

77
Product

Resources

Company
