CVE-2011-4106

Name of the Vulnerable Software and Affected Versions TimThumb (timthumb.php) versions prior to 2.0

Description The issue allows remote attackers to upload and execute arbitrary code via a URL containing a white-listed domain in the src parameter. This is done by accessing the uploaded file via a direct request to the file in the cache directory. There have been real-world incidents where this issue was exploited, notably in August 2011.

Recommendations For versions prior to 2.0, update to version 2.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the cache directory to minimize the risk of exploitation. Avoid using the src parameter with untrusted input until the issue is resolved.