There has been some buzz about a zero day vulnerability found in Timthumb.php that can allow for arbitrary file uploads. Although this is a platform independent issue, it is specially an issue on WordPress where a lot of theme authors choose to include scripts in themes without any extra security measures.
You can read more details about the TimThumb issue here: markmaunder.com
This is definitely an issue, but it’s just the tip of the iceberg. TimThumb is just one of various scripts that are being added to themes/plugins without further vetting, or even incorrectly. Take Uploadify for example, which we’ve recently seen being exploited in very old versions of a popular WordPress theme.
Another issue is inexperience, well, along with laziness in some cases. WordPress has built in a lot of great capabilities that aren’t being properly leveraged. For example, if theme/plugin authors were properly leveraging add_image_size vs. adding TimThumb they would be in a safer position today.
Unfortunately this is not an easy problem to tackle. WordPress core has a great review and vetting process, it is very controlled for good reason. The problem here is really around plugins and themes, it’s not as simple as you may think to check every release being there are thousands of free and premium options on the market today.
Minimize Your Risk
Here are a few things that if put into practice, will help you minimize the risk of getting exploited:
- Keep your themes and plugins updated – #1 cause of malware infections and hacks independent of any platform!
- Only download from reputable sources (WordPress.org).
- Only use plugins and themes that are being actively developed and have good, trusted reviews. Do your homework
- Keep an eye on WordPress security news to see if there are any issues with the plugins or themes you are using.
- Don’t just disable, remove any software that you’re not actively using. Just because it’s not active doesn’t mean it’s not vulnerable
Sucuri WordPress Check
Here is a script we created to enable you to check for some of the issues we’ve outlined above – Sucuri WP Check
How to Use
- Save script to your local machine by right clicking the link above and save link as
- Login to your site via sFTP or FTP (We recommend sFTP/SSH)
- Upload the script to your root WordPress directory
- Rename sucuri_wp_check.txt to sucuri_wp_check.php
- Run the script via browser of choice – yourdomain.com/sucuri_wp_check.php – Make sure you change the URL path to your domain and wherever you uploaded the file
- Check the results
If you have any questions, let us know, leave a comment below and we’ll try to reply as quickly as possible.
Daniel Cid
Marc-Alexandre Montpas
Denis Sinegubko
Magno Rodrigues
Kaushal Bhavsar
Antony Garand
50 comments
This is the same pattern that we previously saw with web browsers. First, the browsers themselves were exploited. Once the browser vendors stepped up their security efforts, cybercriminals went after third party apps and plugins, like Adobe Reader, Flash Player, and JAVA.
It’s going to be a challenge—and an important one to tackle head on—for the WordPress community to figure out how to better manage security of plugins.
You’re absolutely spot on Maxim!
Nothing of this size, or capacity will ever be easy to manage. It’s a continual process that needs constant attention.
How do I actually run a script via FF that I have uploaded? Never done it. Not a coding or prgraming guy.
Thanks much.
Peace and Blessings
Hi there.
Once you’ve uploaded the script, you can run it by typing in its address in the browser.
Example – yourdomain.com/sucuri_wp_check.php
Hope this helps.
Dre
Yea. I finally figured it out. Thanks though!
I was actually, believe it or not, able to run it as a .txt.
Ran as ftp://xxx@ftp.timlist.net/xxx/ebooks/ccp/sucuri_wp_check.txt
And it returned this:
Checking your WordPress install…
By Sucuri.net – Questions? Contact support@sucuri.net
“;
$issues = scanallfiles($dir);
echo ”
“; if($issues == 0) { echo ”
No issues found. Completed.
n”; } ?>
I also re-read the directions and relized I did not set it as .php. Doh!
Then that worked much easier with .php.
Peace and Blessings
Thanks a lot. I had a friend with some wp issues. His site was hacked twice this year. I ran the sucuri_wp_check.php but it was clean. I couldn’t find a resolution but after I ran WP Security Scan Plugin I fixed some vulnerabilities. The site is up since 2 months so I cross my fingers.
For example. I put in my link… with .txt and that file shows up. But running it with .php simply fails and offers to search the WP site?
http://www.timlist.net/ebooks/ccp/ is my address.
Also, for you WP experts. With my url, WP is installed under /CCP. I am making an ebook site to sell my just recently deceased fathers ebooks he created in the last two years. But lets say I want to do my own books as well. Should I have installed WP into /ebooks or something instead? To avoid multiple WP installs? Or do I want to use multiple WP installs?
Say I ended up with 20 authors selling on my site? What would be the intellegent way to do this via WP installs? Thanks much. If the latter is an inapropriate question for this site, blog, etc. I applogize.
Thanks much
Peace and Blessings
Your script found two instances of: “Found PHP file inside image directory” of a plugin I use.
What actions should I take?
Thanks.
The one thing timthumb does that WordPress doesn’t do on its own is the ability to pull external images to then turn into thumb nails and etc…
I was thinking of using it for that very reason since I host all my images on photobucket because I don’t want image leeches to steal my bandwidth on my blog host.
I love the media handling of WordPress but since it doesn’t work on external images then simply turning off that function on timthumb makes the script pointless for me. YMMV.
I’m interested in your point about limiting leeching of your bandwidth for image delivery. Would a direct block on hotlinking work as well?
Hi ,Should I delete the sucuri_wp_check.txt after I have used it.
THANKS.
Very interesting
Thank you for this great info, and for your sucuri_wp_check.php script that helps me sleep better at night! 🙂
Hi I got this error when I ran the php script. Not a developer by any means, first time Ive been attacked like this. Is there something a guy like me can do to fix this? Any help is greatly appreciated.
Checking your WordPress install…
By Sucuri.net – Questions?
Contact support@sucuri.net
Warning: Found suspicious file (timthumb or uploadify): ./wp-content/plugins/logo-management/includes/timthumb.php
Warning: Found suspicious file (timthumb or uploadify): ./wp-content/themes/premiumnews/thumb.php
Thanks for writing this blogpost and creating the security check!
I ran your script and it shows 2 issues with timthumb on 2 other sites i have. BUT doesn’t say anything about the site I have that was blocked by Google. The offending page that apparently was attacked is now clean (without my doing). What can I do next?? thanks!
Interesting, I used the Securi check and it says im all good…I never updated my thumb.php though. Hurmm….
Thank you soooo much for this information and scanning script. What a blessing to everyone going through this, and a help to the net on the whole.
I ran your sucuri_wp_check.php script and got a clean bill of health. Thanks!
Based on the huge number of “bad link” email messages that have shown up in my inbox, someone is farming different themes on my site looking for the timthumb.php script.
Hi. I found that one my old and unupdated plugin (kc-related-posts-by-category) have tumthumb.php there. I deleted it before few days when i released that have some iframes injected in my blog. Its now worthy to check and if yes does this script is still functional?
Is the vulnerabilities that this script checks for included in the checks made by the Sucuri SiteCheck Malware Scanner plugin for WP or would both be needed to cover all bases?
Comments are closed.