Zero Day Vulnerability in many WordPress Themes - GoFuckYourself.com

TheSenator · 08-02-2011, 04:13 AM

If you are using a theme that re-sizes images then you are mostly likely using a version of TimThumb.php.

There is a fix....

URL: http://markmaunder.com/2011/zero-day...dpress-themes/
================
Update: Ben, the developer of timthumb has been in contact and is working on a fix. His own site was hacked Friday using the same method. I?ve submitted a tiny patch and if you?re a solid PHP hacker it?d be great if you could eyeball the code with us and submit a patch (really easy to do on Google code) if you spot any other opportunities for cleanup (there are many). Given enough eyeballs? you know the quote.

The Exec summary: An image resizing utility called timthumb.php is widely used by many WordPress themes. Google shows over 39 million results for the script name. If your WordPress theme is bundled with an unmodified timthumb.php as many commercial and free themes are, then you should immediately either remove it or edit it and set the $allowedSites array to be empty. The utility only does a partial match on hostnames allowing hackers to upload and execute arbitrary PHP code in your timthumb cache directory. I haven?t audited the rest of the code, so this may or may not fix all vulnerabilities. Also recursively grep your WordPress directory and subdirs for the base64_decode function and look out for long encoded strings to check if you?ve been compromised..............
http://markmaunder.com/2011/zero-day...dpress-themes/

paymeback · 08-02-2011, 06:36 AM

Bump fixed mine up, thanks

fris · 08-02-2011, 06:56 AM

i dont use it

JamesGw · 08-02-2011, 08:54 AM

Thanks for this.

TrustCash · 08-02-2011, 08:54 AM

Thanks for the heads up, man. :-)

alias · 08-02-2011, 09:14 AM

Thanks, had it on a couple blogs.

Brujah · 08-02-2011, 09:17 AM

A lot of Themeforest authors rely on TimThumb heavily instead of using WP built-in functions. Definitely check your themforest themes for timthumb.php

TheSenator · 08-02-2011, 09:40 AM

Quote:

Originally Posted by Brujah

A lot of Themeforest authors rely on TimThumb heavily instead of using WP built-in functions. Definitely check your themforest themes for timthumb.php

Fuck...

Everybody pretty much uses this script or modify it a bit.

Well, at least I now know how to exploit a WordPress site using TimThumb

Brujah · 08-02-2011, 10:32 AM

Discussion on Google Code seems to be ongoing about whether the fix is good enough or not.
http://code.google.com/p/timthumb/issues/detail?id=212

CyberHustler · 08-02-2011, 10:45 AM

Sucks for you guys...

cooldude7 · 08-02-2011, 11:21 AM

when the day wil come, when wp wont need updates....?

Brujah · 08-02-2011, 11:28 AM

Quote:

Originally Posted by cooldude7

when the day wil come, when wp wont need updates....?

It's important to note that this is not WordPress. It's something separate that several theme authors and plugin authors have used to make the creation of images of various sizes easier.

harvey · 08-02-2011, 12:09 PM

Quote:

Originally Posted by cooldude7

when the day wil come, when wp wont need updates....?

when you have something that is 4 or 5 years ahead of the standard you may find that things may need correction here and there. The good news is that they are actually corrected. Think about this: is absolutely impossible for any program, piece of software, code snippet, whatever to be as advanced as a collaborative environment with tens of thousands programmers behind it

Quote:

Originally Posted by Brujah

It's important to note that this is not WordPress.

this.

either way, personally, I couldn't care less, I don't use timthumbs since like 4 years ago. It was nice and OK if you didn't mind the look of your site, but it gets very random results. WP built in image features might not be as complete, but they're 100 times better

sicone · 08-02-2011, 12:19 PM

Dumb question here... but is there a quick way to search my WP installs for this file? I know it's not one I have installed as a plugin but as said many themes and plugins use it that I may not be aware of.

TheSenator · 08-02-2011, 01:01 PM

Quote:

Originally Posted by sicone

Dumb question here... but is there a quick way to search my WP installs for this file? I know it's not one I have installed as a plugin but as said many themes and plugins use it that I may not be aware of.

Look in the /wp-content/themes/"theme folder you are using*/timthumb.php or thumb.php

Highest Def · 08-02-2011, 01:12 PM

Quote:

Originally Posted by sicone

Dumb question here... but is there a quick way to search my WP installs for this file? I know it's not one I have installed as a plugin but as said many themes and plugins use it that I may not be aware of.

It should be listed in the admin under the editor, where you edit all the theme files including CSS. It's usually listed near the bottom and the 'allowedsites' array will be pretty close to the top of the file. *not all themes that use it will have it listed here but odds are that it is.

Barry-xlovecam · 08-02-2011, 07:28 PM

Quote:

Originally Posted by sicone

Dumb question here... but is there a quick way to search my WP installs for this file? I know it's not one I have installed as a plugin but as said many themes and plugins use it that I may not be aware of.

Code:

ssh;

user@server$ locate timthumb.php

user@server$ locate thumb.php

V_RocKs · 08-02-2011, 09:03 PM

find ./ -name timthumb.php

fris · 08-03-2011, 08:46 AM

Quote:

Originally Posted by Barry-xlovecam

Code:

ssh;

user@server$ locate timthumb.php

user@server$ locate thumb.php

find would be better, locate only works if the locate db is up to date.

cooldude7 · 08-03-2011, 08:56 AM

luckily, i dont have timthumb.php on my server.

V_RocKs · 08-03-2011, 09:11 AM

Quote:

Originally Posted by cooldude7

luckily, i dont have timthumb.php on my server.

No luck about it Cool Dude. It's called skill!

cooldude7 · 08-03-2011, 12:22 PM

Quote:

Originally Posted by V_RocKs

No luck about it Cool Dude. It's called skill!

damn, just noticed , the theme i am working on for current project is using older version of timthumb, so 1st i upgraded that file to
http://code.google.com/p/timthumb/so...k/timthumb.php

and then secured it by

http://markmaunder.com/2011/zero-day...dpress-themes/

thanks guys....

Barry-xlovecam · 08-03-2011, 01:05 PM

Quote:

Originally Posted by fris

find would be better, locate only works if the locate db is up to date.

Code:

stat /var/lib/mlocate/mlocate.db
  File: `/var/lib/mlocate/mlocate.db'
  Size: 19579819  	Blocks: 38248      IO Block: 4096   regular file
Device: 801h/2049d	Inode: 657262      Links: 1
Access: (0640/-rw-r-----)  Uid: (    0/    root)   Gid: (  108/ mlocate)
Access: 2011-08-03 16:02:09.454826368 -0400
Modify: 2011-08-03 07:48:35.783993745 -0400
Change: 2011-08-03 07:48:35.783993745 -0400

Yeah, mine is 8 hours + old ...

fris · 08-03-2011, 02:04 PM

Quote:

Originally Posted by Barry-xlovecam

Code:

stat /var/lib/mlocate/mlocate.db
  File: `/var/lib/mlocate/mlocate.db'
  Size: 19579819  	Blocks: 38248      IO Block: 4096   regular file
Device: 801h/2049d	Inode: 657262      Links: 1
Access: (0640/-rw-r-----)  Uid: (    0/    root)   Gid: (  108/ mlocate)
Access: 2011-08-03 16:02:09.454826368 -0400
Modify: 2011-08-03 07:48:35.783993745 -0400
Change: 2011-08-03 07:48:35.783993745 -0400

Yeah, mine is 8 hours + old ...

plus thats freebsd isnt it?

Barry-xlovecam · 08-03-2011, 02:31 PM

Quote:

Originally Posted by fris

plus thats freebsd isnt it?

No, a LINUX ...

tonyparra · 08-18-2011, 10:41 AM

i have dozens that may use timthumb

not going to be a fun weekend

08-02-2011, 04:13 AM	#1
TheSenator Too lazy to set a custom title Industry Role: Join Date: Feb 2003 Location: NJ Posts: 13,332	Zero Day Vulnerability in many WordPress Themes If you are using a theme that re-sizes images then you are mostly likely using a version of TimThumb.php. There is a fix.... URL: http://markmaunder.com/2011/zero-day...dpress-themes/ ================ Update: Ben, the developer of timthumb has been in contact and is working on a fix. His own site was hacked Friday using the same method. I?ve submitted a tiny patch and if you?re a solid PHP hacker it?d be great if you could eyeball the code with us and submit a patch (really easy to do on Google code) if you spot any other opportunities for cleanup (there are many). Given enough eyeballs? you know the quote. The Exec summary: An image resizing utility called timthumb.php is widely used by many WordPress themes. Google shows over 39 million results for the script name. If your WordPress theme is bundled with an unmodified timthumb.php as many commercial and free themes are, then you should immediately either remove it or edit it and set the $allowedSites array to be empty. The utility only does a partial match on hostnames allowing hackers to upload and execute arbitrary PHP code in your timthumb cache directory. I haven?t audited the rest of the code, so this may or may not fix all vulnerabilities. Also recursively grep your WordPress directory and subdirs for the base64_decode function and look out for long encoded strings to check if you?ve been compromised.............. http://markmaunder.com/2011/zero-day...dpress-themes/ __________________ ISeekGirls.com since 2005

08-02-2011, 06:36 AM	#2
paymeback Confirmed User Join Date: May 2005 Location: Sydney, Australia Posts: 1,478	Bump fixed mine up, thanks __________________ ICQ:36-43-49-11

08-02-2011, 06:56 AM	#3
fris Too lazy to set a custom title Industry Role: Join Date: Aug 2002 Posts: 55,359	i dont use it __________________ Since 1999: 69 Adult Industry awards for Best Hosting Company and professional excellence. WP Stuff

08-02-2011, 08:54 AM	#4
JamesGw Confirmed User Industry Role: Join Date: Apr 2011 Posts: 1,237	Thanks for this. __________________ Giggles.com has a huge selection of sex toys. Need backlinks? Ask to guest post on our adult blog.

08-02-2011, 08:54 AM	#5
TrustCash Confirmed User Industry Role: Join Date: Jul 2011 Posts: 344	Thanks for the heads up, man. :-) __________________

08-02-2011, 09:14 AM	#6
alias aliasx Join Date: Apr 2001 Posts: 19,010	Thanks, had it on a couple blogs. __________________ https://porncorporation.com

08-02-2011, 09:17 AM	#7
Brujah Beer Money Baron Industry Role: Join Date: Jan 2001 Location: brujah / gmail Posts: 22,157	A lot of Themeforest authors rely on TimThumb heavily instead of using WP built-in functions. Definitely check your themforest themes for timthumb.php __________________ Free Premium Domain Lists and Tools at Clickmojo.com For Sale: Obscenity.com

08-02-2011, 10:32 AM	#9
Brujah Beer Money Baron Industry Role: Join Date: Jan 2001 Location: brujah / gmail Posts: 22,157	Discussion on Google Code seems to be ongoing about whether the fix is good enough or not. http://code.google.com/p/timthumb/issues/detail?id=212 __________________ Free Premium Domain Lists and Tools at Clickmojo.com For Sale: Obscenity.com

08-02-2011, 10:45 AM	#10
CyberHustler Unregistered Abuser Industry Role: Join Date: Feb 2006 Posts: 25,659	Sucks for you guys...

08-02-2011, 11:21 AM	#11
cooldude7 Confirmed User Industry Role: Join Date: Nov 2009 Location: Heaven Posts: 4,306	when the day wil come, when wp wont need updates....?

08-02-2011, 12:19 PM	#14
sicone Retired Industry Role: Join Date: Jan 2004 Location: Sac Posts: 18,453	Dumb question here... but is there a quick way to search my WP installs for this file? I know it's not one I have installed as a plugin but as said many themes and plugins use it that I may not be aware of. __________________

08-02-2011, 09:03 PM	#18
V_RocKs Damn Right I Kiss Ass! Industry Role: Join Date: Dec 2003 Location: Cowtown, USA Posts: 32,406	find ./ -name timthumb.php

08-03-2011, 08:56 AM	#20
cooldude7 Confirmed User Industry Role: Join Date: Nov 2009 Location: Heaven Posts: 4,306	luckily, i dont have timthumb.php on my server.

08-18-2011, 10:41 AM	#26
tonyparra Confirmed User Industry Role: Join Date: Jul 2008 Location: In your back seat with duck tape Posts: 4,568	i have dozens that may use timthumb not going to be a fun weekend __________________ High Performance Vps $10 Linode Manage your Digital Ocean, Linode, or Favorite Cloud Server. Simple, fast, and secure Server Pilot