GoFuckYourself.com - Adult Webmaster Forum - View Single Post - Zero Day Vulnerability in many WordPress Themes

TheSenator · 08-02-2011, 04:13 AM

If you are using a theme that re-sizes images then you are mostly likely using a version of TimThumb.php.

There is a fix....

URL: http://markmaunder.com/2011/zero-day...dpress-themes/
================
Update: Ben, the developer of timthumb has been in contact and is working on a fix. His own site was hacked Friday using the same method. I?ve submitted a tiny patch and if you?re a solid PHP hacker it?d be great if you could eyeball the code with us and submit a patch (really easy to do on Google code) if you spot any other opportunities for cleanup (there are many). Given enough eyeballs? you know the quote.

The Exec summary: An image resizing utility called timthumb.php is widely used by many WordPress themes. Google shows over 39 million results for the script name. If your WordPress theme is bundled with an unmodified timthumb.php as many commercial and free themes are, then you should immediately either remove it or edit it and set the $allowedSites array to be empty. The utility only does a partial match on hostnames allowing hackers to upload and execute arbitrary PHP code in your timthumb cache directory. I haven?t audited the rest of the code, so this may or may not fix all vulnerabilities. Also recursively grep your WordPress directory and subdirs for the base64_decode function and look out for long encoded strings to check if you?ve been compromised..............
http://markmaunder.com/2011/zero-day...dpress-themes/

08-02-2011, 04:13 AM
TheSenator Too lazy to set a custom title Industry Role: Join Date: Feb 2003 Location: NJ Posts: 13,332	Zero Day Vulnerability in many WordPress Themes If you are using a theme that re-sizes images then you are mostly likely using a version of TimThumb.php. There is a fix.... URL: http://markmaunder.com/2011/zero-day...dpress-themes/ ================ Update: Ben, the developer of timthumb has been in contact and is working on a fix. His own site was hacked Friday using the same method. I?ve submitted a tiny patch and if you?re a solid PHP hacker it?d be great if you could eyeball the code with us and submit a patch (really easy to do on Google code) if you spot any other opportunities for cleanup (there are many). Given enough eyeballs? you know the quote. The Exec summary: An image resizing utility called timthumb.php is widely used by many WordPress themes. Google shows over 39 million results for the script name. If your WordPress theme is bundled with an unmodified timthumb.php as many commercial and free themes are, then you should immediately either remove it or edit it and set the $allowedSites array to be empty. The utility only does a partial match on hostnames allowing hackers to upload and execute arbitrary PHP code in your timthumb cache directory. I haven?t audited the rest of the code, so this may or may not fix all vulnerabilities. Also recursively grep your WordPress directory and subdirs for the base64_decode function and look out for long encoded strings to check if you?ve been compromised.............. http://markmaunder.com/2011/zero-day...dpress-themes/ __________________ ISeekGirls.com since 2005