Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0zNzQ3LWdqYzktdnZnNs4AAd7k
phpThumb is vulnerable to Server-Side Request Forgery (SSRF)
The default configuration of phpThumb before 1.7.12 has a false value for the disable_debug option, which allows remote attackers to conduct Server-Side Request Forgery (SSRF) attacks via the src parameter.
Permalink: https://github.com/advisories/GHSA-3747-gjc9-vvg6JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zNzQ3LWdqYzktdnZnNs4AAd7k
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: 9 months ago
Identifiers: GHSA-3747-gjc9-vvg6, CVE-2013-6919
References:
- https://nvd.nist.gov/vuln/detail/CVE-2013-6919
- http://www.rafayhackingarticles.net/2013/11/phpthumb-server-side-request-forgery.html
- https://github.com/JamesHeinrich/phpThumb/commit/457a37d4a22ac9cdbbfe19577376622e58df81b0
- https://github.com/JamesHeinrich/phpThumb/blob/7ee966b38ddd7eb4d8091389aa514604710711c8/docs/phpthumb.changelog.txt#L106
- https://github.com/advisories/GHSA-3747-gjc9-vvg6
Blast Radius: 0.0
Affected Packages
packagist:james-heinrich/phpthumb
Dependent packages: 5Dependent repositories: 28
Downloads: 317,920 total
Affected Version Ranges: < 1.7.12
Fixed in: 1.7.12
All affected versions:
All unaffected versions: 1.7.12, 1.7.13, 1.7.14, 1.7.15, 1.7.16, 1.7.17, 1.7.18, 1.7.19, 1.7.20, 1.7.21, 1.7.22