Timthumb: Popular WordPress Theme Library Vulnerability
Last night I read an article exposing a vulnerability in timthumb – an image manipulation script which is used in many wordpress themes.
More details can be found here http://markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/
Summary from Mark Maunder
An image resizing utility called timthumb.php is widely used by many WordPress themes. Google shows over 39 million results for the script name. If your WordPress theme is bundled with an unmodified timthumb.php as many commercial and free themes are, then you should immediately either remove it or edit it and set the $allowedSites array to be empty. The utility only does a partial match on hostnames allowing hackers to upload and execute arbitrary PHP code in your timthumb cache directory. I haven’t audited the rest of the code, so this may or may not fix all vulnerabilities. Also recursively grep your WordPress directory and subdirs for the base64_decode function and look out for long encoded strings to check if you’ve been compromised.
Today, remembering this, I ran a search across the 90 websites hosted on the webserver we use in the office (only 4 or 5 are wordpress installations) and was surprised to find that we were using a theme with timthumb in it!
The command to find all files named timthumb.php in subdirectories of the current directory on linux is
find . -name ‘timthumb.php’
It turned up for us in a theme we had recently modified to suit a new client. The theme is Athena - Athena’s author is on holiday at the moment but I have emailed to ask them to update the version of timthumb to the latest to ensure no one else is vulnerable in this way.
Timthumb’s author has already released a patched version after being subject to the vulnerability being exploited.
After finding any timthumb.php copies, the quick solution is to find an array named $allowedSites and remove any entries from it. This will stop unauthenticated users from being able to download remote files to the timthumb temporary files folder and executing them.
Incidents like this really highlight the (justified) risks one takes in using 3rd party code.
December 17th, 2011 at 14:30
[...] If you use wordpress but think you're safe how about just making double sure you're completely safe.So it's been a long time since I have posted but being an avid fan of WordPress as I know many of my…developer who first located timthumb.php vulnerability being exploited (his site was hacked), “An [...]