Mark Maunder, CEO of Seattle-based technology firm Feedjit, discovered the flaw after his own blog was hacked to load advertising content. He ended up tracing the issue back to TimThumb, which he uses on his blog. Hackers are exploiting a zero-day vulnerability affecting TimThumb, a free image resizing utility widely used on the blogging platform WordPress.
Vulnerability in brief :
An image resizing utility called timthumb.php is widely used by many WordPress themes. Google shows over 39 million results for the script name. If your WordPress theme is bundled with an unmodified timthumb.php as many commercial and free themes are, then you should immediately either remove it or edit it and set the $allowedSites array to be empty. The utility only does a partial match on hostnames allowing hackers to upload and execute arbitrary PHP code in your timthumb cache directory. I haven't audited the rest of the code, so this may or may not fix all vulnerabilities. Also recursively grep your WordPress directory and subdirs for the base64_decode function and look out for long encoded strings to check if you've been compromised.
The utility, a PHP script employed for image cropping, zooming and resizing web images, "is inherently insecure because it relies on being able to write files into a directory that is accessible by people visiting your website," Maunder said. "That's never a good idea."
An attacker could upload files and execute code on an affected site without the owner's permission. The latest version of the utility, TimThumb 1.33, is affected by the issue. Its developer, Ben Gillbanks, is working on a fix after his own site also was hacked using the same method.
He provided instructions for disabling the utility's ability to load images from external sites, which is one way to resolve the issue.
- SSH into your web server. You can use "putty" if you use windows and you'll need to know your username and password.
- cd into your wordpress installation directory. That is going to vary according to which host you're using or how you've installed it.
- You need to find every copy of timthumb.php on your system. Use the following command without double quotes: " find . -name 'timthumb.php' "
- It will show you a list of where timthumb.php is located. You may want to repeat this command using "thumb.php" as some users have reported that's what it's called on their systems.
- Edit timthumb.php using a text editor like pico, nano or (if you know what you're doing) vim. You would type (without double quotes) " nano directory/that/tim/thumb/is/in/timthumb.php " for example.
- Go down to line 27 where it starts $allowedSites = array (
- Change it to remove all the sites listed like "blogger.com" and "flickr.com". Once you're done the line should look like this from $allowedSites to the semi-colon:
- $allowedSites = array();
- Note the empty parentheses.
- The next line should be blank and the following line will probably say "STOP MODIFYING HERE"
- That's it. Save the file and you're done.