Portal Home > Knowledgebase > Articles Database > Attention WordPress webmasters, read this! (SECURITY)
Attention WordPress webmasters, read this! (SECURITY)
| Posted by John-e5, 08-04-2011, 04:17 PM |
| http://www.websitedefender.com/web-s...lugins-themes/
Recently a new high risk vulnerability was discovered in the highly popular TimThumb script. TimThumb is a “A small php script for cropping, zooming and resizing web images (jpg, png, gif). Perfect for use on blogs and other applications.“
TimThumb is included in a lot of WordPress plugins and themes (free and paid). Exploiting this vulnerability an attacker can upload and excute a PHP file of his choice on a vulnerable website.
Download the fixed version (v1.34) from the TimThumb project page (http://code.google.com/p/timthumb/).
You should upload it where the extra script/library files for your theme are located, overwriting the old one. For example /wp-content/themes/MySuperTheme/script/. Be careful though as this may break your site.
Last edited by John-e5; 08-04-2011 at 04:21 PM.
|
| Posted by John-e5, 08-04-2011, 04:31 PM |
| Direct link to fixed version: https://timthumb.googlecode.com/svn/trunk/timthumb.php
|
| Posted by SocialManUK, 08-04-2011, 04:32 PM |
| Never used Wordpress, does it often have exploits in it, or is it stable in general?
Sorry to deter from what the post is meant for, but it's in relation so thought would ask while I'm here.
Nice one for the "heads up" for fellow WHT members though.
|
| Posted by Mopman, 08-04-2011, 04:39 PM |
| The exploit is not in Wordpress itself, but in a script which is used by a lot of (third party) plugins. Since the plugins usually distribute their own copy of timthumb, it has to be fixed by each plugin author (or the user themselves as John is suggesting).
|
| Posted by John-e5, 08-04-2011, 04:46 PM |
| From experience, I would say it is stable, assuming you have some knowledge and you follow simple rules. For example you don't use the default DB table prefix, you have removed the meta genenator and WP version details, you have a good username and password, you update your plugins (and you don't use a ton of unknown or old ones) and WP core when needed, etc. Most problems (I'd say ~90%) don't arrise by WP itself but from insecure plugins. That's why you have to be extra sure you need one before installing.
|
| Posted by John-e5, 08-10-2011, 07:28 AM |
| The TimThumb Saga (from WordPress creator)
http://ma.tt/2011/08/the-timthumb-saga/
|
| Posted by MACscr, 08-10-2011, 11:43 AM |
| has anyone written a bash script for replacing all occurrences of timthumb.php on a server with the updated one and of course emptying the cache folders? Probably would be useful to rename and move the old timtumb.php to a non web accessible folder as well.
Simply notifying clients of the issue isnt going to be a solve all as many install everything through fantastico and wordpress directly and dont really even know how to access their files. Plus some have 20 themes on their blog or whatever.
Thoughts?
|
| Posted by SPaReK, 08-10-2011, 12:59 PM |
| I figured this was something that needed to be handled by the theme developers. I'm not sure what ramifications can come about by just replacing a very old timthumb.php script with the latest version. Will the Wordpress theme (or whatever script is using the Timthumb library) still continue to work? What if the theme maker made slight modifications to the timthumb.php file for their theme?
I don't know the answers to these, it's why I'm asking. Are others in the webhosting industry doing a mass replace of this script? Or are you leaving this for the theme/extension/script developers?
|
| Posted by MACscr, 08-10-2011, 01:33 PM |
| Even if theme developers fixed it, what could would that be to our clients or servers if they arent getting those updates?
Ive done a drop in replacement on 3 sites manually so far and cleared their cache folders and everything appeared to be working fine. As mentioned as well though, the original file should not just be overwritten, but permissions changed and moved to a non web accessible folder.
To me, waiting and just hoping that developers update their themes and hoping that clients apply those updates is not a good strategy for an exploit such as this.
|
| Posted by John-e5, 08-10-2011, 01:53 PM |
| Yeah, leaving the upgrade to theme devs and then waiting for the users to upgrade, it's a disaster waiting to happen.
I have too replaced the script on a handful of sites. On the first post, website defender has compiled a list of themes and plugins that use this.
|
| Posted by brianoz, 08-11-2011, 06:49 AM |
| Has anyone got a mod security rule that blocks this?
|
| Posted by John-e5, 08-11-2011, 12:59 PM |
| If you block this it may break websites using it (well at least their images), better to replace it.
For anyone willing to write a script here is the pseudocode:
For all DocumentRoot folders in the system:
if "timthumb.php" exists
open file and search for "VERSION: X.Y"
if X.Y < LATEST then move it and download newest version
|
| Posted by hb9aj4fn, 08-12-2011, 05:38 AM |
| I have a customer who is using the WordPess Mimbo theme version 3.0 http://www.darrenhoyt.com/2007/08/05...heme-released/
In the themes folder there is a directory named "scripts", and in that directory we have "timthumb.php" file.
However, the timthumb.php-file does not contain any version number. Also I have searched for "AllowedSite" in "timthumb.php" file, but there is no match for it. I do not find any of the vulnerable code from this image http://www.websitedefender.com/wp-co...rable_code.png
So to me it seems that his "timthumb.php" file is not affected by the vulnerable code. Can somebody please help me check if that is correct?
I have uploaded my clients "timthumb.php" file in this post, please help me review if it is vulnerable. Thanks!
Attached Files
timthumb.php.txt
(9.4 KB, 209 views)
Last edited by hb9aj4fn; 08-12-2011 at 05:43 AM.
|
| Posted by John-e5, 08-12-2011, 10:25 AM |
| If this theme was released in 2007 be sure that this version is so outdated that it doesn't even say what version is
Unless the theme developer provided updates all this time of course.
On the other hand, as you saw, it doesn't even have that functionality, so it might not have problem, paradoxically because it's old.
I'd suggest communicating with the client first to inform him and then backup this old file, upload the newest version and test the functionality of the site (basically if the images/thumbs/resizing etc, work as expected). If everything seems fine then leave the new version up and store the old somewhere else.
|
| Posted by CoderJosh, 08-13-2011, 08:29 AM |
| Right. When looking for vulnerable versions of timthumb.php, I also came across several versions that were so old that they didn't even have the features now exploited.
Over all, I think it's a major problem that code that is packaged with themes is often never updated once the theme is deployed. Now many people keep WordPress and their plugins up to date, because it's easy enough with WordPress's update management, but themes are often only updated if they break (in a visible way).
|
| Posted by CyberDairy, 08-16-2011, 09:02 AM |
| thanks for the info, it really save my life, as our 80+ website are on wordpress, thanks a lot
|
| Posted by pmabraham, 08-18-2011, 07:56 PM |
| Good day:
There is a LinkedIn Online WordPress group; and there have been several discussions on this topic matter.
http://www.linkedin.com/groupItem?vi...ck=.gmp_154024 is one of the most commented discussion.
The themes we found to have the vulnerable file in it are as follows:
Chameleon
Deviant
Event
EventTheme
Memoir
Modest
MyProduct
Nova
Nova-1.4
SimplePress
TheCorporation
TheProfessional
The above is not all inclusive, and is only representative of themes we found on our servers.
Thank you.
|
Add to Favourites 
Print this Article
Also Read
