WordPress is now of the most leading open source web script which most of the bloggers use. In fact, this blog is a WordPress blog! The problem with WordPress is that it has many vulnerable plugins and addons just like Timthumb which is a popular image resizing script. The TimThumb exploit was publicized on the 3rd of August 2011 in Exploit-DB which became the main target for defacers and people who are into IRC Bots.
The plugin can be exploited through Remote Code Execution Execution because the script does not cache files properly. So how does the exploit work? By linking a special image file with a valid MIME-type, and an appending a PHP file at the end of the script timthumb.php, it is possible to trick TimThumb into believing that it’s a legitimate image, thus caching it locally in the cache directory. Alright I’ll try caching an image on this site I found. (Disclaimer: No harm was done on this site)
Proof of exploit:
Fixing the Vulnerability
1. Update the script by downloading the latest PHP script here.
2. Edit the file and make sure ALLOW_EXTERNAL is set to false. This is the code that allows image fetching from external websites. See the code below:
1 define ('ALLOW_EXTERNAL', TRUE);
3. Make sure that the $allowedSites array is empty. Omit flickr.com, picasa.com , img.youtube.com, upload.wikimedia.org, photobucket.com, imgur.com, imageshack.us, tinypic.com from this code:
12345678910 $ALLOWED_SITES = array ('flickr.com','picasa.com','img.youtube.com','upload.wikimedia.org','photobucket.com','imgur.com','imageshack.us','tinypic.com',);
Thus the code would just look like this:
1 $ALLOWED_SITES = array ();
4. Rename the TimThumb script and put some .htacess configuration or file on your sensitive folders just like how you secure an admin page.
5. Install security plugins.
Well, that’s it for now. You should fix the timthumb script or else your site will end up just like this: