CVE-2014-4663 Information

Description

TimThumb 2.8.13 and WordThumb 1.07 when Webshot (aka Webshots) is enabled allows remote attackers to execute arbitrary commands via shell metacharacters in the src parameter.

Reference

http://packetstormsecurity.com/files/127192/TimThumb-2.8.13-Remote-Code-Execution.html http://seclists.org/fulldisclosure/2014/Jul/4 http://seclists.org/fulldisclosure/2014/Jun/117 http://seclists.org/oss-sec/2014/q2/689 http://secunia.com/advisories/59558 http://www.exploit-db.com/exploits/33851 https://code.google.com/p/timthumb/issues/detail?id=485 https://code.google.com/p/timthumb/source/detail?r=219