The flaw is in an image utility called TimThumb which is used in a LOT of premium themes for generating on the fly thumbnails, you can check it out (and grab the latest version) here:

http://code.google.com/p/timthumb/

Attackers are exploiting a widely used extension for the WordPress publishing platform to take control of vulnerable websites, one of the victims has warned.

The vulnerability affects virtually all websites that have an image-resizing utility called TimThumb running with WordPress, Mark Maunder, CEO of Seattle-based Feedjit, wrote in a post published Monday. The extension is “inherently insecure” because it makes it easy for hackers to execute malicious code on websites that use it. At least two websites have already been compromised, he reported.

Maunder said he found the vulnerability after discovering his own website, markmaunder.com, was suddenly and inexplicably loading advertisements, even though the blog wasn’t configured to do so.

After a thorough investigation, he learned that an attacker had used TimThumb to load a PHP file into one of his site directories and then execute it. The utility, he said, by default allows files to be remotely loaded and resized from blogger.com, wordpress.com, and five other websites and doesn’t vet URLs for malicious strings, making it possible to upload malicious payloads.

I personally think this could cause some major problems because TimThumb is bundled with almost every WordPress theme (free ones or otherwise) and is invariably an old version – which will be insecure. It creates an image cache inside the readable webroot – which is really bad.

Plus the URL filtering doesn’t really work properly, so with your own domain you could create a subdomain malware.flickr.com.darknet.org.uk/malware.php and host up some nasty files there, call TimThumb on that file and it’d be cached in the webroot.

“So if you create a file on a web server like so: http://blogger.com.somebadhackersite.com/badscript.php and tell timthumb.php to fetch it, it merrily fetches the file and puts it in the cache directory ready for execution,” Maunder explained.

He went on to report the technique was used on Friday to hack Ben Gillbanks, developer of TimThumb. Gilders is working on a permanent fix, but in the meantime, Maunder has submitted a temporary patch that fixes the most obvious errors.

“I can’t apologise enough for this oversight in the code and hope nobody has anything too bad happen to their sites because of my error,” Gilders wrote in a comment responding to Maunder’s post

One of the first people that was hit was a WordPress developer himself (which is a good thing as it means we get a quick fix), a new more secure version (hopefully) is in the works and the developer has pushed out some quick fixes in the current version to make it harder to exploit.

You can grab the latest TimThumb.php code here:

http://timthumb.googlecode.com/svn/trunk/timthumb.php

There are also a lot more details on how to fix the problem on Mark Maunder’s blog, CEO of Seattle-based Feedjit:

Zero Day Vulnerability in Many WordPress Themes

There’s a story from Network World here too:

Zero-day vulnerability found in a WordPress image utility

TimThumb is in many themes with other names, so please also search for thumb.php, cropper.php, crop.php & resize.php.

Site: The Register

A new simple tool was released recently which focuses purely on LFI attacks.

Functions

• Automatically find the root of the file system
• Detect default files outside of the web folder
• Attempts to detect passwords inside the files
• Supports basic authentication
• Can use null byte to bypass some controls
• Writes a report of the scan to a file

You can download LFIMAP 1.4.3 here:

lfimap-1.4.3.tar.gz

Or read more here.

fimap is a little python tool which can find, prepare, audit, exploit and even google automatically for local and remote file inclusion bugs in webapps. fimap is similar to sqlmap just for LFI/RFI bugs instead of sql injection. It is currently under heavy development but it’s usable.

Features

• Check a Single URL, List of URLs, or Google results fully automatically.
• Can identify and exploit file inclusion bugs.
• Test and exploit multiple bugs
• Has an interactive exploit mode
• Add your own payloads and patches to the config.py file.
• Has a Harvest mode which can collect URLs from a given domain for later pentesting.
• Can use proxies (experimental).

Changes

• All commands will now be send base64 encoded. So you can use quotes as much as you want.
• php://input detection is now 100% reliable.
• You can now define a POST string for relative and absolute files in the config.py.
• TTL implemented. You can define it with “—ttl “. Default is 30 seconds.
• Experimental HTTP Proxy support. You can define a HTTP(s) proxy with “—http-proxy localhost:8080″.
• Googlescanner can now skip the first X pages. Use “—skip-pages X”.
• Lots of bugfixes and additional regular expressions.

Requirements

• Needs: Python >= 2.4

You can download fimap here:

fimap_alpha_v07.tar.gz

Or read more here.

The latest news breaking over the Christmas period is that of a fairly serious bug in IIS that allows local file inclusion (LFI) of any filetype due a bug in the way IIS filters handle semicolons (;).

Secunia has confirmed the vulnerability “on a fully patched Windows Server 2003 R2 SP2 running Microsoft IIS version 6. Other versions may also be affected”.

Although oddly it only classifies the bug as “Less critical” – basically a 2/5 on their threat scale.

A researcher has identified a vulnerability in the most recent version of Microsoft’s Internet Information Services that allows attackers to execute malicious code on machines running the popular webserver.

The bug stems from the way IIS parses file names with colons or semicolons in them, according to researcher Soroush Dalili. Many web applications are configured to reject uploads that contain executable files, such as active server pages, which often carry the extension “.asp.” By appending “;.jpg” or other benign file extensions to a malicious file, attackers can bypass such filters and potentially trick a server into running the malware.

There appears to be some disagreement over the severity of the bug, which Dalili said affects all versions of IIS. While he rated it “highly critical,” vulnerability tracker Secunia classified it as “less critical,” which is only the second notch on its five-tier severity rating scale.

It’s a pretty nasty bug if you ask me, it means any CMS, forum software or gallery page where users are allowed to upload files (running on IIS) can be owned by a webshell without any effort at all.

Even if an app doesn’t allow native uploading, LFI can now be executed using another exploit and it will bypass any filtering IIS provides against executable files such as .asp scripts.

I don’t really see how this bug is “Less critical” – I’d imagine there’s some mass pwnage going around the World right now.

“Impact of this vulnerability is absolutely high as an attacker can bypass file extension protections by using a semicolon after an executable extension such as ‘.asp,’ ‘.cer,’ ‘.asa’ and so on,” Dalili wrote. “Many web applications are vulnerable against file uploading attacks because of this weakness of IIS.”

In an email to El Reg, Dalili offered the following attack scenario:

“Assume a website which only accepts JPG files as the users’ avatars. And the users can upload their avatars on the server. Now an attacker tries to upload “Avatar.asp;.jpg” on the server. Web application considers this file as a JPG file. So, this file has the permission to be uploaded on the server. But when the attacker opens the uploaded file, IIS considers this file as an ASP file and tries to execute it by ‘asp.dll.’

“So, the attacker can upload a web-shell on the server by using this method. Most of the uploaders only control the last part of the files as their extensions, and by using this method, their protection will be bypassed.”

Microsoft as per usual is ‘looking into it’ – I would guess within a week or so users will be screaming for a patch in the next round of updates planned for January if not sooner.

Although if you are using IIS, I wouldn’t hold your breath for an out of schedule patch – we all know what Microsoft thinks of those.

Source: The Register

Vulnerabilities

• SQL Injection
• XSS (Cross Site Scripting)
• LFI (Local File Inclusion)
• RFI (Remote File Inclusion)
• Command Execution
• Upload Script
• Login Brute Force

Changes

• Added Acunetix scan report.
• All links use http://hiderefer.com to hide referrer header.
• Updated/added ‘more info’ links.
• Moved change log info to CHANGELOG.txt.
• Fixed the exec.php UTF-8 output.
• Moved Help/View source buttons to footer.
• Fixed phpInfo bug.
• Made DVWA IE friendly.
• Fixed html bugs.
• Improved README.txt and fixed typos.
• Made SQL injection possible in sqli_med.php.

WARNING

It should come as no shock..but this application is damn vulnerable! Do not upload it to your hosting provider’s public html folder or any working web server as it will be hacked. It’s recommend that you download and install XAMP onto a local machine inside your LAN which is used solely for testing.

You can download DVWA 1.0.4 here:

dvwa_v1.0.4.zip

Or read more here.