CVE-2016-10508
Description
Multiple XSS vulnerabilities in phpThumb() before 1.7.14 allow remote attackers to inject arbitrary web script or HTML via parameters in demo/phpThumb.demo.showpic.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Multiple XSS vulnerabilities in phpThumb() before 1.7.14 allow remote attackers to inject arbitrary web script or HTML via parameters in demo/phpThumb.demo.showpic.php.
Vulnerability
phpThumb() versions prior to 1.7.14 contain multiple cross-site scripting (XSS) vulnerabilities in the demo file demo/phpThumb.demo.showpic.php. The script did not properly sanitize user-supplied GET parameters before reflecting them in the page output. The vulnerable parameters were not restricted to an allowlist, allowing arbitrary key-value pairs to be passed through and included in generated JavaScript or HTML, leading to injected script execution [1]. The fix introduced an allowlist ($allowedGETparameters) and strict input filtering using a character class regex [1].
Exploitation
An attacker can exploit this by crafting a malicious URL containing XSS payloads in unsanitized GET parameters. No authentication is required as the demo file is publicly accessible in default installations. The attack does not require user interaction beyond the victim visiting the crafted URL, where the injected script runs in the context of the phpThumb domain [1].
Impact
Successful exploitation allows arbitrary JavaScript or HTML injection into the victim's browser. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The attack is reflected XSS, so the impact is limited to the victim's browser session and does not affect the server-side application [1].
Mitigation
The vulnerability is fixed in phpThumb version 1.7.14 and later. Users should upgrade immediately. As a workaround, the demo file demo/phpThumb.demo.showpic.php can be removed or access restricted via web server configuration. The commit [1] shows the patch that adds parameter allowlisting and input sanitization [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=1.7.13
Patches
1162ae709162bdemo.showpic security fix
1 file changed · +20 −20
demo/phpThumb.demo.showpic.php+20 −20 modified@@ -76,47 +76,47 @@ function CrossBrowserResizeInnerWindowTo(newWidth, newHeight) { <script type="text/javascript" src="javascript_api.js"></script> <?php -function SafeStripSlashes($string) { - return (get_magic_quotes_gpc() ? stripslashes($string) : $string); -} require_once('../phpThumb.config.php'); +$allowedGETparameters = array('src','new','w','h','wp','hp','wl','hl','ws','hs','f','q','sx','sy','sw','sh','zc','bc','bg','bgt','fltr','xto','ra','ar','aoe','far','iar','maxb','hash','md5s','sfn','dpi','sia'); $additionalparameters = array(); foreach ($_GET as $key => $value) { + if (!in_array($key, $allowedGETparameters)) { + continue; + } if (is_array($value)) { + if ($key != 'fltr') { + continue; + } foreach ($value as $key2 => $value2) { - $additionalparameters[] = $key.'[]='.SafeStripSlashes($value2); + @$additionalparameters[$key][] = preg_replace('#[^A-Za-z0-9\\. _:/]#', '', $value2); } } else { - $additionalparameters[] = $key.'='.SafeStripSlashes($value); + $additionalparameters[$key] = preg_replace('#[^A-Za-z0-9\\. _:/]#', '', $value); } } -//$imagesrc = $phpThumbLocation.implode('&', $additionalparameters); -$imagesrc = phpThumbURL(implode($PHPTHUMB_CONFIG['config_high_security_url_separator'], $additionalparameters), $phpThumbLocation); +$imagesrc = phpThumbURL($additionalparameters, $phpThumbLocation); echo '<script type="text/javascript">'; -echo 'var ns4;'; -echo 'var op5;'; -echo 'function setBrowserWindowSizeToImage() {'; -echo 'if (!document.getElementById("imageimg")) { return false; }'; -echo 'sniffBrowsers();'; -echo 'var imageW = getImageWidth("imageimg");'; -echo 'var imageH = getImageHeight("imageimg");'; +echo 'var ns4;'."\n"; +echo 'var op5;'."\n"; +echo 'function setBrowserWindowSizeToImage() {'."\n"; +echo 'if (!document.getElementById("imageimg")) { return false; }'."\n"; +echo 'sniffBrowsers();'."\n"; +echo 'var imageW = getImageWidth("imageimg");'."\n"; +echo 'var imageH = getImageHeight("imageimg");'."\n"; // check for maximum dimensions to allow no-scrollbar window echo 'if (((screen.width * 1.1) > imageW) || ((screen.height * 1.1) > imageH)) {'."\n"; // screen is large enough to fit whole picture on screen with 10% margin echo 'CrossBrowserResizeInnerWindowTo(imageW, imageH);'."\n"; echo '} else {'."\n"; // image is too large for screen: add scrollbars by putting the image inside an IFRAME -echo 'document.getElementById("showpicspan").innerHTML = "<iframe width=\"100%\" height=\"100%\" marginheight=\"0\" marginwidth=\"0\" frameborder=\"0\" scrolling=\"on\" src=\"'.$imagesrc.'\">Your browser does not support the IFRAME tag. Please use one that does (IE, Firefox, etc).<br><img src=\"'.$imagesrc.'\"><\/iframe>";'; +echo 'document.getElementById("showpicspan").innerHTML = "<iframe width=\"100%\" height=\"100%\" marginheight=\"0\" marginwidth=\"0\" frameborder=\"0\" scrolling=\"on\" src=\"'.$imagesrc.'\">Your browser does not support the IFRAME tag. Please use one that does (Chrome, Firefox, etc).<br><img src=\"'.$imagesrc.'\"><\/iframe>";'."\n"; echo '}'."\n"; echo '}'; echo '</script>'; -?> - -</head> -<body style="margin: 0px;" onLoad="setBrowserWindowSizeToImage();"><div id="showpicspan"><?php +echo '</head><body style="margin: 0px;" onLoad="setBrowserWindowSizeToImage();"><div id="showpicspan">'; if (!empty($_GET['src'])) { @@ -127,7 +127,7 @@ function SafeStripSlashes($string) { } else { echo '<pre>'; - echo 'Usage:<br><br><b>'.$_SERVER['PHP_SELF'].'?src=<i>filename</i>&title=<i>Picture+Title</i></b>'; + echo 'Usage:<br><br><b>'.basename(__FILE__).'?src=<i>filename</i>&title=<i>Picture+Title</i></b>'; echo '</pre>'; }
Vulnerability mechanics
Root cause
"The demo script demo/phpThumb.demo.showpic.php failed to properly sanitize user-supplied parameters before using them in constructing URLs, leading to cross-site scripting."
Attack vector
An attacker can exploit this vulnerability by sending a crafted HTTP request to the demo script, demo/phpThumb.demo.showpic.php. This request would include malicious JavaScript code within one of the GET parameters. The script then embeds this unsanitized input into an iframe's source attribute, causing the browser to execute the injected script. This requires no authentication or special privileges, only that the demo script is accessible [ref_id=1].
Affected code
The vulnerability resides in the demo script located at demo/phpThumb.demo.showpic.php. Specifically, the script iterates through all GET parameters and directly incorporates them into the construction of the `imagesrc` variable, which is later used in an iframe's `src` attribute. The patch modifies this section to filter and sanitize these parameters before they are used [ref_id=1].
What the fix does
The patch modifies the demo/phpThumb.demo.showpic.php script to introduce an array of allowed GET parameters. Any parameter not present in this whitelist is now ignored. Additionally, for the parameters that are processed, the script uses `preg_replace` to remove any characters not explicitly allowed in the parameter values. This sanitization prevents arbitrary web script or HTML from being injected into the page, thus mitigating the reflected cross-site scripting vulnerability [ref_id=1].
Preconditions
- inputThe target URL must be accessible and the demo script demo/phpThumb.demo.showpic.php must be present and executable.
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- github.com/JamesHeinrich/phpThumb/commit/162ae709162be3e6c4d942313a278ca5cbdb8e92nvdPatchThird Party Advisory
News mentions
0No linked articles in our index yet.