Many WordPress blogs at risk from image-based zero-day vulnerability !!

[INDRANIL]

Bilocating technology blogger Mark Maunder - he claims to live in Seattle and Cape Town concurrently, recently wrote about an intrusion to his WordPress site.

It turns out the backdoor was a previously-unexploited, or at least a previously-undocumented, flaw in a useful little WordPress addon, shared by many WordPress themes, called timthumb.

Timthumb is an 864-line PHP script which assists with automatic image resizing, thumbmailing and so forth. (It doesn't squeeze the image manipulation code into those 864 lines, but uses the third-party GD library.)

If you run WordPress and you have a file named timthumb.php, sometimes renamed to thumb.php, in your installation, you may be at risk.

Tracking down the mechanism behind his intrusion, Maunder identified three main problems with timthumb.php: poor default settings; poor verification of input data; and poor choice of file permissions for temporary files.

By default, the vulnerable version of timthumb allowed images from external sites to be accessed from your server. The default list is probably unsurprising:

// external domains that are allowed to be displayed on your website
$allowedSites = array (
'flickr.com',
'picasa.com',
'img.youtube.com',
'upload.wikimedia.org',
);

Secondly, timthumb.php checked the sanity of remote URLs - to verify they really were in the list of allowed sites - by looking for the permitted domains somewhere in the hostname part of the URL, rather than making sure they were the hostname part:

$isAllowedSite = false;
foreach ($allowedSites as $site) {
if (strpos (strtolower ($url_info['host']), $site) !== false) {
$isAllowedSite = true;
}
}
This code meant that a dodgy website name such as picasa.com.badsite.example would pass the test, simply because it contains the string picasa.com. Clearly, that is not what was intended.

No need to worry. Check if any of the blogs you host use timthumb.php, and upgrade to the latest version. Read more and have fun .

More & Source .

[Neo]

thx for heads up

[Raymond]

First post I read when I see this topic and fortunately I don't use TimThumb plugin.
Although there are thousands of plugins for Wordpress, try to use as little as possible.

[walkingheart645]

Thanks INDRANIL.. checked my site.. don't have it.. i'm gonna let my brother know soon as i finish here.. also, make sure you log off every time with wordpress.. there's a way a hacker can get into your site through your log in page if you keep it where you automatically log in every time.. walkingheart645

[INDRANIL]

Yes indeed agree with you Raymond. No prob Neo & walkingheart.