Zero-day Vulnerability Database

Change view

Zero-day vulnerabilities discovered: 1

Arbitrary file upload Binarymoon TimThumb
CVE-2011-4106

Arbitrary file upload

The vulnerability allows a remote attacker to execute arbitrary PHP code on the target system.

The vulnerability exists due to improper storing of content in the cache directory when processing input. A remote attacker can send a specially crafted HTTP request containing a white-listed domain in the src parameter, upload a malicious PHP script and execute arbitrary PHP code.

Successful exploitation of the vulnerability may allow an attacker to execute arbitrary PHP code on the vulnerable system.

Note: the vulnerability was being actively exploited.

Not patched
i

The exploit was announced by Mark Maunder.

Software: TimThumb

The exploit was announced by Mark Maunder.