Moderate severityNVD Advisory· Published Dec 27, 2014· Updated May 6, 2026

CVE-2013-6919

Description

phpThumb before 1.7.12 had debug mode enabled by default, allowing remote SSRF via the src parameter.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

phpThumb before 1.7.12 had debug mode enabled by default, allowing remote SSRF via the src parameter.

Vulnerability

The default configuration of phpThumb before version 1.7.12 sets the disable_debug option to false, enabling debug mode. This allows the src parameter to accept arbitrary protocols such as file:// or gopher:// in addition to HTTP/HTTPS, leading to Server-Side Request Forgery (SSRF) [1][2][3].

Exploitation

An unauthenticated remote attacker can craft a request with a src parameter pointing to an internal resource (e.g., http://localhost:80/admin or file:///etc/passwd). The vulnerable server will fetch the specified URL and return its content in the debug output, enabling port scanning, service fingerprinting, and access to internal services [2].

Impact

Successful exploitation allows the attacker to perform SSRF attacks, potentially accessing internal systems, reading local files, or bypassing firewall restrictions. This can lead to information disclosure or serve as a stepping stone for further compromise [1][2].

Mitigation

The issue is fixed in phpThumb version 1.7.12, which disables debug mode by default and restricts allowed protocols to FTP and HTTP/HTTPS only [1][4]. Users should upgrade to version 1.7.12 or later and ensure disable_debug is set to true in their configuration [2].

References

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
james-heinrich/phpthumbPackagist	< 1.7.12	1.7.12

Affected products

Phpthumb Project/Phpthumb
cpe:2.3:a:phpthumb_project:phpthumb:*:*:*:*:*:*:*:*
Range: <=1.7.11
ghsa-coords
pkg:composer/james-heinrich/phpthumb
Range: < 1.7.12

Patches

457a37d4a22a

[bugfix #936] disable bad protocol:// source

https://github.com/jamesheinrich/phpthumbJames HeinrichNov 22, 2013via ghsa

commit

2 files changed · +43 −30

phpthumb.class.php+11 −7 modified

@@ -207,7 +207,7 @@ class phpthumb {
 	var $iswindows  = null;
 	var $issafemode = null;
 
-	var $phpthumb_version = '1.7.12-201311010937';
+	var $phpthumb_version = '1.7.12-201311221429';
 
 	//////////////////////////////////////////////////////////////////////
 
@@ -537,7 +537,7 @@ function RenderOutput() {
 
 	// public:
 	function RenderToFile($filename) {
-		if (preg_match('#^(f|ht)tps?\://#i', $filename)) {
+		if (preg_match('#^[a-z0-9]+://#i', $filename)) {
 			$this->DebugMessage('RenderToFile() failed because $filename ('.$filename.') is a URL', __FILE__, __LINE__);
 			return false;
 		}
@@ -859,11 +859,15 @@ function ResolveSource() {
 		}
 		if ($this->iswindows && ((substr($this->sourceFilename, 0, 2) == '//') || (substr($this->sourceFilename, 0, 2) == '\\\\'))) {
 			// Windows \\share\filename.ext
-		} elseif (preg_match('#^(f|ht)tps?\://#i', $this->sourceFilename)) {
-			// URL
-			if ($this->config_http_user_agent) {
-				ini_set('user_agent', $this->config_http_user_agent);
-			}
+		} elseif (preg_match('#^[a-z0-9]+://#i', $this->sourceFilename, $protocol_matches)) {
+			if (preg_match('#^(f|ht)tps?\://#i', $this->sourceFilename)) {
+				// URL
+				if ($this->config_http_user_agent) {
+					ini_set('user_agent', $this->config_http_user_agent);
+				}
+			} else {
+				return $this->ErrorImage('only FTP and HTTP/HTTPS protocols are allowed, "'.$protocol_matches[1].'" is not');
+		}
 		} elseif (!@file_exists($this->sourceFilename)) {
 			return $this->ErrorImage('"'.$this->sourceFilename.'" does not exist');
 		} elseif (!@is_file($this->sourceFilename)) {

phpThumb.php+32 −23 modified

@@ -28,10 +28,10 @@ function SendSaveAsFileHeaderIfNeeded() {
 		return false;
 	}
 	global $phpThumb;
-	$downloadfilename = phpthumb_functions::SanitizeFilename(@$_GET['sia'] ? $_GET['sia'] : (@$_GET['down'] ? $_GET['down'] : 'phpThumb_generated_thumbnail'.(@$_GET['f'] ? $_GET['f'] : 'jpg')));
-	if (@$downloadfilename) {
+	$downloadfilename = phpthumb_functions::SanitizeFilename(@$_GET['sia'] ? $_GET['sia'] : (!empty($_GET['down']) ? $_GET['down'] : 'phpThumb_generated_thumbnail'.(!empty($_GET['f']) ? $_GET['f'] : 'jpg')));
+	if (!empty($downloadfilename)) {
 		$phpThumb->DebugMessage('SendSaveAsFileHeaderIfNeeded() sending header: Content-Disposition: '.(@$_GET['down'] ? 'attachment' : 'inline').'; filename="'.$downloadfilename.'"', __FILE__, __LINE__);
-		header('Content-Disposition: '.(@$_GET['down'] ? 'attachment' : 'inline').'; filename="'.$downloadfilename.'"');
+		header('Content-Disposition: '.(!empty($_GET['down']) ? 'attachment' : 'inline').'; filename="'.$downloadfilename.'"');
 	}
 	return true;
 }
@@ -216,10 +216,14 @@ function RedirectToCachedFile() {
 	$phpThumb->ErrorImage('ERROR: no parameters specified');
 }
 
-if (@$_GET['src'] && isset($_GET['md5s']) && empty($_GET['md5s'])) {
-	if (preg_match('#^(f|ht)tps?://#i', $_GET['src'])) {
-		if ($rawImageData = phpthumb_functions::SafeURLread($_GET['src'], $error, $phpThumb->config_http_fopen_timeout, $phpThumb->config_http_follow_redirect)) {
-			$md5s = md5($rawImageData);
+if (!empty($_GET['src']) && isset($_GET['md5s']) && empty($_GET['md5s'])) {
+	if (preg_match('#^([a-z0-9]+)://#i', $_GET['src'], $protocol_matches)) {
+		if (preg_match('#^(f|ht)tps?://#i', $_GET['src'])) {
+			if ($rawImageData = phpthumb_functions::SafeURLread($_GET['src'], $error, $phpThumb->config_http_fopen_timeout, $phpThumb->config_http_follow_redirect)) {
+				$md5s = md5($rawImageData);
+			}
+		} else {
+			$phpThumb->ErrorImage('only FTP and HTTP/HTTPS protocols are allowed, "'.$protocol_matches[1].'" is not');
 		}
 	} else {
 		$SourceFilename = $phpThumb->ResolveFilenameToAbsolute($_GET['src']);
@@ -229,7 +233,7 @@ function RedirectToCachedFile() {
 			$phpThumb->ErrorImage('ERROR: "'.$SourceFilename.'" cannot be read');
 		}
 	}
-	if (@$_SERVER['HTTP_REFERER']) {
+	if (!empty($_SERVER['HTTP_REFERER'])) {
 		$phpThumb->ErrorImage('&md5s='.$md5s);
 	} else {
 		die('&md5s='.$md5s);
@@ -541,24 +545,29 @@ function RedirectToCachedFile() {
 
 	$phpThumb->ErrorImage('Usage: '.$_SERVER['PHP_SELF'].'?src=/path/and/filename.jpg'."\n".'read Usage comments for details');
 
-} elseif (preg_match('#^(f|ht)tp\://#i', $phpThumb->src)) {
+} elseif (preg_match('#^([a-z0-9]+)://#i', $_GET['src'], $protocol_matches)) {
 
-	$phpThumb->DebugMessage('$phpThumb->src ('.$phpThumb->src.') is remote image, attempting to download', __FILE__, __LINE__);
-	if ($phpThumb->config_http_user_agent) {
-		$phpThumb->DebugMessage('Setting "user_agent" to "'.$phpThumb->config_http_user_agent.'"', __FILE__, __LINE__);
-		ini_set('user_agent', $phpThumb->config_http_user_agent);
-	}
-	$cleanedupurl = phpthumb_functions::CleanUpURLencoding($phpThumb->src);
-	$phpThumb->DebugMessage('CleanUpURLencoding('.$phpThumb->src.') returned "'.$cleanedupurl.'"', __FILE__, __LINE__);
-	$phpThumb->src = $cleanedupurl;
-	unset($cleanedupurl);
-	if ($rawImageData = phpthumb_functions::SafeURLread($phpThumb->src, $error, $phpThumb->config_http_fopen_timeout, $phpThumb->config_http_follow_redirect)) {
-		$phpThumb->DebugMessage('SafeURLread('.$phpThumb->src.') succeeded'.($error ? ' with messsages: "'.$error.'"' : ''), __FILE__, __LINE__);
-		$phpThumb->DebugMessage('Setting source data from URL "'.$phpThumb->src.'"', __FILE__, __LINE__);
-		$phpThumb->setSourceData($rawImageData, urlencode($phpThumb->src));
+	if (preg_match('#^(f|ht)tps?://#i', $_GET['src'])) {
+		$phpThumb->DebugMessage('$phpThumb->src ('.$phpThumb->src.') is remote image, attempting to download', __FILE__, __LINE__);
+		if ($phpThumb->config_http_user_agent) {
+			$phpThumb->DebugMessage('Setting "user_agent" to "'.$phpThumb->config_http_user_agent.'"', __FILE__, __LINE__);
+			ini_set('user_agent', $phpThumb->config_http_user_agent);
+		}
+		$cleanedupurl = phpthumb_functions::CleanUpURLencoding($phpThumb->src);
+		$phpThumb->DebugMessage('CleanUpURLencoding('.$phpThumb->src.') returned "'.$cleanedupurl.'"', __FILE__, __LINE__);
+		$phpThumb->src = $cleanedupurl;
+		unset($cleanedupurl);
+		if ($rawImageData = phpthumb_functions::SafeURLread($phpThumb->src, $error, $phpThumb->config_http_fopen_timeout, $phpThumb->config_http_follow_redirect)) {
+			$phpThumb->DebugMessage('SafeURLread('.$phpThumb->src.') succeeded'.($error ? ' with messsages: "'.$error.'"' : ''), __FILE__, __LINE__);
+			$phpThumb->DebugMessage('Setting source data from URL "'.$phpThumb->src.'"', __FILE__, __LINE__);
+			$phpThumb->setSourceData($rawImageData, urlencode($phpThumb->src));
+		} else {
+			$phpThumb->ErrorImage($error);
+		}
 	} else {
-		$phpThumb->ErrorImage($error);
+		$phpThumb->ErrorImage('only FTP and HTTP/HTTPS protocols are allowed, "'.$protocol_matches[1].'" is not');
 	}
+
 }
 
 ////////////////////////////////////////////////////////////////

Vulnerability mechanics

Root cause

"Insufficient protocol validation in the src parameter combined with debug mode enabled by default allows SSRF via arbitrary URI schemes."

Attack vector

An attacker sends a crafted HTTP request to the phpThumb endpoint with a `src` parameter containing a non-HTTP/FTP URI scheme (e.g., `gopher://`, `dict://`, or `file://`) while the `disable_debug` option is set to `false` (the default before 1.7.12) [CWE-918]. The server's `SafeURLread()` function fetches the supplied URI, and when debug mode is enabled, the resulting error messages from lower-layer network sockets are displayed to the attacker, revealing information about open/closed ports on internal or external hosts [ref_id=2]. This allows the attacker to use the vulnerable server as a pivot to scan ports on intranet hosts (e.g., localhost, webmail, jira) or external targets [ref_id=2].

Affected code

The vulnerability resides in `phpThumb.php` and `phpthumb.class.php`. In `phpThumb.php`, the `RedirectToCachedFile()` function and the main image-fetching branch used `preg_match('#^(f|ht)tp\://#i', $phpThumb->src)` to validate the `src` parameter, which only checked for `http://`, `https://`, and `ftp://` but did not reject other URI schemes such as `gopher://`, `dict://`, or `file://` [patch_id=1700744]. The same insufficient protocol validation existed in `phpthumb.class.php` in the `ResolveSource()` and `RenderToFile()` methods [patch_id=1700744].

What the fix does

The patch [patch_id=1700744] changes the protocol validation regex from `#^(f|ht)tp\://#i` to `#^([a-z0-9]+)://#i` to first detect any protocol scheme, then explicitly checks whether the scheme is `http://`, `https://`, or `ftp://`. If the scheme is not one of those three, the code calls `ErrorImage()` with the message "only FTP and HTTP/HTTPS protocols are allowed". This prevents attackers from using arbitrary protocols like `gopher://` or `dict://` for SSRF. Additionally, the advisory [ref_id=2] recommends setting `$PHPTHUMB_CONFIG['disable_debug'] = true` to disable debug mode by default, which was also applied in version 1.7.12 to prevent error-message-based information leakage.

Preconditions

configThe phpThumb default configuration must have disable_debug set to false (the default before version 1.7.12)
networkThe attacker must be able to send HTTP requests to the phpThumb endpoint with a crafted src parameter
authNo authentication is required; the vulnerability is accessible to unauthenticated remote attackers

Reproduction

1. Deploy phpThumb version prior to 1.7.12 with default configuration (disable_debug = false). 2. Send a request to the phpThumb script with a non-HTTP/FTP protocol in the src parameter and debug enabled, e.g.: `http://site.com/phpthumb/phpThumb.php?h=32&w=32&src=gopher://scanme.nmap.org:22&phpThumbDebug=9` [ref_id=2]. 3. Observe that the server attempts to fetch the URI and returns error messages that reveal whether the target port is open or closed, enabling port scanning of internal or external hosts [ref_id=2].

Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000