PHP and Website Security ProjectX

Security Expert Gregory Evans’ Blog Site Pawned With Timthumb Exploit

Just today, Gregory Evans’ Blog site has been defaced by Tha L ( a defacer from ‘the hackers army’). Gregory Evans is a Security Expert who appeared on TV and Radio more than any security consultants in the world. In fact he was said to be world’s no. 1 Security Expert or hacker (I really dunno about this). But here is a Youtube video about him:

 

Deface Link:  http://gregorydevans.com/wp-content/gallery/L.htm

the hackers army

As soon as the news spread I looked on his site and right away I was able to determine that his site is vulnerable to Remote Code Execution in Timthumb. In fact the exploitable code is found here: http://gregorydevans.com/wp-content/themes/business-success/scripts/timthumb.php. The site is not yet updated with the latest timthumb script.

Thus if you add an image to it, it fetches the image. For example:

http://gregorydevans.com/wp-content/themes/business-success/scripts/timthumb.php?src=http://gregorydevans.com/wp-content/uploads/Greg_Banner_9.png

Fixing this kind of vulnerability:

1. Update the script by downloading the latest PHP script here.

2.  Edit the file and make sure ALLOW_EXTERNAL is set to false. This is the code that allows image fetching from external websites. See the code below:

3. Make sure that the $allowedSites array is empty. Omit flickr.com, picasa.com , img.youtube.com, upload.wikimedia.org, photobucket.com, imgur.com, imageshack.us, tinypic.com from this code:

Thus the code would just look like this:

3. Check the temp and cache folders for possible backdoors.

PS: With all due respect sir Gregory, I didn’t hack your site, if you see my IP Adress in the log, let’s just say I was just viewing the source. ~shipcode

To Sir Gregory: Now this warning wouldn’t help at all because I didn’t try to hack your site but I was doing some forensics investigation on how your site was breached. Please update your site now as soon as possible.

Gregory Evans' Site Hacked

Related Articles:

WPScan (WordPress Security Scanner) 1.1 Released

Fixing The TimThumb Script in WordPress to Avoid Remote Code Execution and Backdoors

2 Comments

Leave a Reply