The timthumb Disaster

I don’t recall anything affecting WordPress security so much as the timthumb disaster.

The timthumb.php file is a script commonly used in WordPress’s (and other software’s) themes and plugins to resize images. It’s fairly standard thing to include in a theme and it has seen a massive amount of use across the WordPress world. Google shows over 39 million results for the script name, just to give you an idea.

In August 2011 someone first wrote about a WordPress site hacked using a vulnerability in timthumb. After that we’ve seen a mass infection of WordPress sites due to timthumb. Some web hosting companies later became aware of this and started correcting the problem. It has been a huge problem that stills affects thousands of people to this day.

The exploit allows an attacker to arbitrarily upload and create files and/or folders on your account, which can then be used for a number of malicious tasks, including but not limited to defacement, browser high-jacking and infection, data harvesting and more.  After a site has been exploited, it may lead to becoming labeled a “Malicious Website” by Google or other security authorities.
Any timthumb.php file below version 1.35, but above version 1.09 is considered vulnerable, unless patched. To prevent being compromised, we advise you update all instances of timthumb.php to version 2.0, or patch the existing vulnerable files.  Note that patching the files requires more in-depth knowledge of the PHP scripting language.

You may check any of your sites to see if they are vulnerable by using this plugin:
http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s