There has been some buzz about a zero day vulnerability found in Timthumb.php that can allow for arbitrary file uploads. Although this is a platform independent issue, it is specially an issue on WordPress where a lot of theme authors choose to include scripts in themes without any extra security measures.
You can read more details about the TimThumb issue here: markmaunder.com
This is definitely an issue, but it’s just the tip of the iceberg. TimThumb is just one of various scripts that are being added to themes/plugins without further vetting, or even incorrectly. Take Uploadify for example, which we’ve recently seen being exploited in very old versions of a popular WordPress theme.
Another issue is inexperience, well, along with laziness in some cases. WordPress has built in a lot of great capabilities that aren’t being properly leveraged. For example, if theme/plugin authors were properly leveraging add_image_size vs. adding TimThumb they would be in a safer position today.
Unfortunately this is not an easy problem to tackle. WordPress core has a great review and vetting process, it is very controlled for good reason. The problem here is really around plugins and themes, it’s not as simple as you may think to check every release being there are thousands of free and premium options on the market today.
Minimize Your Risk
Here are a few things that if put into practice, will help you minimize the risk of getting exploited:
- Keep your themes and plugins updated – #1 cause of malware infections and hacks independent of any platform!
- Only download from reputable sources (WordPress.org).
- Only use plugins and themes that are being actively developed and have good, trusted reviews. Do your homework
- Keep an eye on WordPress security news to see if there are any issues with the plugins or themes you are using.
- Don’t just disable, remove any software that you’re not actively using. Just because it’s not active doesn’t mean it’s not vulnerable
Sucuri WordPress Check
Here is a script we created to enable you to check for some of the issues we’ve outlined above – Sucuri WP Check
How to Use
- Save script to your local machine by right clicking the link above and save link as
- Login to your site via sFTP or FTP (We recommend sFTP/SSH)
- Upload the script to your root WordPress directory
- Rename sucuri_wp_check.txt to sucuri_wp_check.php
- Run the script via browser of choice – yourdomain.com/sucuri_wp_check.php – Make sure you change the URL path to your domain and wherever you uploaded the file
- Check the results
If you have any questions, let us know, leave a comment below and we’ll try to reply as quickly as possible.
About David Dede
Pingback: TimThumb security vulnerability discovered, affects many WordPress themes | WPCandy
Pingback: How to Fix TimThumb.php WordPress Theme Security Flaw | Wordpress Multisite Blogs Help Tips | Behind the Scenes
Pingback: Zero Day Attack and timthumb.php... What does it mean? | WordPress Training Videos
Pingback: TimThumb Updated To Version 2
Pingback: TimThumb security vulnerability discovered: Affects many WordPress themes | TechBlog Central
Pingback: TimThumb, Heroism and FUD
Pingback: Off to the Host and Hacked ‹ Anthony G. Cyphers – Software Developer
Pingback: El site del magazine Hakin9 ha sido hackeado | Hispabyte
Pingback: WordPress Vulnerability in “TimThumb” theme script | Ari Salomon: Art and Design
Pingback: Delete malware warning counter-wordpress.com | Rein Aris – Blog
Pingback: eBabble » Compromised By TimThumb
Pingback: Another Victim Of The ThumbTim.php Exploit | Simple Industries, Inc.
Pingback: Update TimThumb Code To Avoid Security Risk | Brain Contour
Pingback: Hackers are the Asses of Evil - Blogging4Jobs HR, Recruiter, Social Media, Job Search Blogging4Jobs
Pingback: The Great Hack Of 2011 | Collective Bias | Blog
Pingback: WordPress blog hacked | Sonia Marsh - Gutsy Living
Pingback: Resizing and manipulating Images using TimThumb
Pingback: Timthumb transparency problems (.png & .gif have solid backgrounds)Ministry Web Design
Pingback: My website was hacked – yours could be too! You won’t know until it’s too late | Alex's Blog
Pingback: Timthumb.php Security Vulnerability – Just the Tip of the ...
Pingback: How to do bulk Find and Replace in files using PHP | Nadeesha Cabral Blogs
Pingback: Timthumb.php Security Vulnerability – Just the Tip of the ...
Pingback: Raw Access Log and Its Value
Pingback: Eliminate Unused WordPress Plugins — Technosailor.com
Pingback: Review of the WordFence Plugin – Effective or Not? - PerezBox
Pingback: » WordPress Uploadify Vulnerability - Roger's Information Security Blog
Pingback: Does not remove the WordPress Plugin | .
Pingback: Is this Abject enough? | Abject