« New pump and dump stock spam comes from Romania | Blog Home | My Spam analysis & filter updates for the week of Aug 1 - 7, 2011 »

Bookmark and Share

Website using WordPress image resizing themes need to take action Now

If you a website owner, or Webmaster and you have installed WordPress blog software with image gallery themes on your websites, you may have a big problem, effective 8/1/2011. These programs are complicated software and as such, are subject to flaws caused by programming oversights. Exploitable scripting flaws have been discovered in a popular plug-in for themes: TimThumb. Those flaws are currently being used to inject malicious scripts and codes into millions of web pages. You need to see if your website is vulnerable to these exploits in the wild.

The details

This particular problem doesn't lie inside the WordPress software itself, but in a third party "plug-in" used by image themes that allow resizing of uploaded images. Those images may be uploaded by the owner of the blog, or by visitors from the Internet. Therein lies the danger.

First of all, you must be running the most current version of WordPress, which at this writing is v 3.2.1, preferably, with only themes approved and delivered through the WordPress website. This will protect the WordPress software itself, until a new vulnerability is discovered and published by hacker groups. Always get on the WordPress mailing list so you are notified when new versions are released. I recommend you bookmark and read this page often: http://wordpress.org/news/category/security/

You still need to check any theme directories (aka Folders) for the presence of the currently exploited file. If you are using an older version of WordPress, you had better upgrade first, at http://wordpress.org/.

The file currently being exploited by remote scanning scripts is named TimThumb.php. This file is used to resize images that are allowed to be uploaded to photo galleries. TimThumb is "inherently insecure" because it writes files into a temporary cache directory when it fetches an image and resizes it. But that directory, which is a sub-directory of your main WordPress directory, is accessible to people visiting the website. An attacker can compromise the site by figuring out how to get TimThumb to grab a malicious PHP file and put it in the WordPress directory. The code will be executed if an attacker then accesses the file using a Web browser.

Okay already. What can the average Joe or Jill do to protect his/her website? First of all, you need to scan you WordPress blog to see if it is already compromised with injected scripts. If so, change your admin password for WordPress, then hunt down all instances of TimThumb.php and if the script version on your server is older than version 2.0, you should immediately either disable those themes, or edit the TimThumb.php files and change the "$allowedSites array" to empty (the default file has an array with 3 to 7 popular websites allowed to upload file to it). This disallows any external site or visitor from using this plug-in to resize images (or exploit your blog by spoofing an approved website). However, you will still be able to resize images you yourself upload.

It has been suggested that renaming all instances of the file named timthumb.php to another, not-easily-guessed prefix, then changing that name in all of the other PHP files that call upon it, will prevent automated file vulnerability scanners from knowing you are using that exploitable plug-in. It hides it, but doesn't fix the problem. Only a new, secure version of the TimThumb file will plug to vulnerabilities being exploited right now.

Read this blog for background information, including details about determining if and how many instances of TimThumb exist on your website and whether or not it has been compromised already. But, do so using Firefox, with the NoScript Add-on enabled, for your own safety. Then go to the Tim Thumb Project page on Google Code pages and download the latest patched version (the link next to "Grab the code from here"). If you click on the "Updates" link you will see a lot of activity right now, as the author and his team hash out the security issues they are discovering in this program. It may be a good idea to disable all existing image resize scripts for your blog, if they use TimThumb, or Thumb.php, until the dust settles.

Note, that the TimThumb team is frantically testing and rewriting the script, up to the moment before I published this article. See the latest build here.

I have learned about another tactic that will at least protect the folder which TimThumb is currently (has been) using to store its temporary cache files. This is the folder into which exploit scripts are currently being uploaded from evil sources. The fix involves both renaming all instances and references to the actual file (timthumb.php) and creating a .htaccess file and placing it into that specific directory, on your website's server.

.htaccess directives to restrict execution of temporary scripts in the cache directory:

RewriteEngine On
Order Deny,Allow
Deny From All

Options -ExecCGI
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi

Sucuri WordPress Check
Securi has released a special PHP script that will scan your WordPress installation to find any and all instances of the TimThumb.php script. You can use the results to either rename the files, or modify them to remove the allowed domains array. Follow the instructions on the aforementioned page to rename, upload and use their script.

This is a big problem that will have a lot of people pulling out their hair, until the dust settles on this case. I want you all to be aware that if you, as a website owner, or acting Webmaster, have installed WordPress, and/or installed an insecure theme, or plug-in for it, you are responsible for updating and fixing it. Your web host is not going to update or secure these programs for you. Sorry, but that is a fact. If you install it, you are responsible for it. If you fail to fix an exploit that is happening on your website, you may find your service terminated until you do fix it. You can bet they won't refund any money you might think you have coming from early termination. Allowing your website to harm other websites, or visitors to your website, is a violation of the standard web hosting terms of service, used by virtually every web host in good standing.

Bookmark and Share  

Trend Micro Internet Security products, for home and office users, use in-the-cloud malware definitions that are updated every day, all day, as soon as new or altered strains of viruses and other malware are detected in the wild and analyzed. By offloading the bulk of these ever changing virus definitions to cloud servers, the load on your computers is greatly reduced. All users of Trend security programs are instantly protected from hostile web pages laden with malware exploits and hostile email, by the Trend Micro Smart Protection Network.

Creative Commons License This weblog is licensed under a Creative Commons License.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.
Powered by
Movable Type 4.38

About the author
Wiz FeinbergWiz's Blog is written by Bob "Wiz" Feinberg, an experienced freelance computer consultant, troubleshooter and webmaster. Wiz's specialty is in computer and website security and combating spam. Wizcrafts Computer Services was established in 1996.

I produce this blog and website at my own expense. If you find this information valuable please consider making a donation via PayPal.

We are hosted on Bluehost and couldn't be happier!

Fight website spammers