Archive | August, 2011

Zero-day Vulnerability In TimThumb Image Utility Threatens Many WordPress Sites

Cybertroopers storming your ship?


This is pretty apt after we wrote about WebsiteDefender – Ensure Your Website Security on Monday, a platform for securing web applications with a focus on WordPress. Today a zero-day in a very commonly used WordPress library hit quite a few news sites.

The flaw is in an image utility called TimThumb which is used in a LOT of premium themes for generating on the fly thumbnails, you can check it out (and grab the latest version) here:

http://code.google.com/p/timthumb/

Attackers are exploiting a widely used extension for the WordPress publishing platform to take control of vulnerable websites, one of the victims has warned.

The vulnerability affects virtually all websites that have an image-resizing utility called TimThumb running with WordPress, Mark Maunder, CEO of Seattle-based Feedjit, wrote in a post published Monday. The extension is “inherently insecure” because it makes it easy for hackers to execute malicious code on websites that use it. At least two websites have already been compromised, he reported.

Maunder said he found the vulnerability after discovering his own website, markmaunder.com, was suddenly and inexplicably loading advertisements, even though the blog wasn’t configured to do so.

After a thorough investigation, he learned that an attacker had used TimThumb to load a PHP file into one of his site directories and then execute it. The utility, he said, by default allows files to be remotely loaded and resized from blogger.com, wordpress.com, and five other websites and doesn’t vet URLs for malicious strings, making it possible to upload malicious payloads.

I personally think this could cause some major problems because TimThumb is bundled with almost every WordPress theme (free ones or otherwise) and is invariably an old version – which will be insecure. It creates an image cache inside the readable webroot – which is really bad.

Plus the URL filtering doesn’t really work properly, so with your own domain you could create a subdomain malware.flickr.com.darknet.org.uk/malware.php and host up some nasty files there, call TimThumb on that file and it’d be cached in the webroot.


“So if you create a file on a web server like so: http://blogger.com.somebadhackersite.com/badscript.php and tell timthumb.php to fetch it, it merrily fetches the file and puts it in the cache directory ready for execution,” Maunder explained.

He went on to report the technique was used on Friday to hack Ben Gillbanks, developer of TimThumb. Gilders is working on a permanent fix, but in the meantime, Maunder has submitted a temporary patch that fixes the most obvious errors.

“I can’t apologise enough for this oversight in the code and hope nobody has anything too bad happen to their sites because of my error,” Gilders wrote in a comment responding to Maunder’s post

One of the first people that was hit was a WordPress developer himself (which is a good thing as it means we get a quick fix), a new more secure version (hopefully) is in the works and the developer has pushed out some quick fixes in the current version to make it harder to exploit.

You can grab the latest TimThumb.php code here:

http://timthumb.googlecode.com/svn/trunk/timthumb.php

There are also a lot more details on how to fix the problem on Mark Maunder’s blog, CEO of Seattle-based Feedjit:

Zero Day Vulnerability in Many WordPress Themes

There’s a story from Network World here too:

Zero-day vulnerability found in a WordPress image utility

TimThumb is in many themes with other names, so please also search for thumb.php, cropper.php, crop.php & resize.php.

Site: The Register


Posted in: Exploits/Vulnerabilities, Web Hacking

Tags: , , , , , , , , , , ,

Posted in: Exploits/Vulnerabilities, Web Hacking | Add a Comment
Recent in Exploits/Vulnerabilities:
- BeautifulPeople.com Leak Exposes 1.1M Extremely Private Records
- Apple Will Not Patch Windows QuickTime Vulnerabilities
- BADLOCK – Are ‘Branded’ Exploits Going Too Far?

Related Posts:

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 234,342 views
- AJAX: Is your application secure enough? - 120,031 views
- eEye Launches 0-Day Exploit Tracker - 85,484 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


WebsiteDefender – Ensure Your Website Security

Don't let your data go over to the Dark Side!


WebsiteDefender is an online service that monitors your website for hacker activity, audits the security of your web site and gives you easy to understand solutions to keep your website safe. With WebsiteDefender you can:

  • Detect Malware present on your website
  • Audit your web site for security issues
  • Avoid getting blacklisted by Google
  • Keep your web site content & data safe
  • Get alerted to suspicious hacker activity

It has an easy to user interface, it picks up all kinds of issues such as malware, reverse shells like c99, obvious stuff like outdated Plugins and WordPress core, weak passwords, bad configurations (including .htaccess config) and much more.

WebsiteDefender

Each alert is well explained and will help you to solve any issues the system finds on your blog/site.

WebsiteDefender

The great value with this for me is once you are subscribed, you will be automatically alerted of new issues by email as and when they occur. This will help you keep your website secure and will let you know immediately if any issues develop.

They’ve even released two WordPress plugins which you can find here:

WP Security Scan & Secure WordPress

You can check out the website here and sign up for a free account to test it out:

http://www.websitedefender.com/

They are on Twitter too @WebsiteDefender & Facebook.


Posted in: Countermeasures, Security Software, Web Hacking

Tags: , , , , , , , , , , ,

Posted in: Countermeasures, Security Software, Web Hacking | Add a Comment
Recent in Countermeasures:
- Google Rapid Response (GRR ) – Remote Live Forensics For Incident Response
- PEiD – Detect PE Packers, Cryptors & Compilers
- NAXSI – Open-Source WAF For Nginx

Related Posts:

Most Read in Countermeasures:
- AJAX: Is your application secure enough? - 120,031 views
- Password Hasher Firefox Extension - 117,718 views
- NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance - 57,707 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95