Computer Doctors

WordPress blogs are at risk


TENS OR HUNDREDS OF THOUSANDS of WordPress installations are at risk of being compromised because of a critical vulnerability in a popular third-party image manipulation script called timthumb.

The affected image utility is not part of the main WordPress package, but is incorporated in many popular WordPress themes. The script consists of a single file called timthumb.php and facilitates on-the-fly image cropping, zooming and resizing.

Timthumb defines a white list of remote domain names from which images can be fetched by default, which include popular image hosting web sites like Flickr.com, Picasa.com, Blogger.com, WordPress.com, Photobucket.com and others.

However, the script fails to validate these domain names properly, so it lets files be fetched from nasty hosts that include those strings in their URLs. For example, files from “http://flickr.com.maliciousdomain.com” are accepted because “flickr.com” is in the URL, even though it is not the actual domain name.

And since fetched files are stored in a cache directory before processing, the vulnerability opens a back door through which malicious attackers can upload and execute PHP shells on the server.

“Timthumb.php is inherently insecure because it relies on being able to write files into a directory that is accessible by people visiting your website. That’s never a good idea,” warned Feedjit CEO Mark Maunder, who discovered the flaw when his blog was hacked.

Searching on Google for the script’s file name returns over 39 million results. That is not the actual number of vulnerable websites, but if even ten per cent of those are individual blogs, the flaw’s impact is still huge.

WordPress vulnerabilities have been exploited in the past to inject malicious code into blogs that directed their visitors to malware. However, this vulnerability is even more serious because deploying a patch for it will not be easy.

There are currently a large number of outdated and vulnerable WordPress installations, even though the platform offers a simple update mechanism and its developers quickly patch any security issues.

In comparison, WordPress themes are rarely updated and do not benefit from the same type of support from their creators. This fragmentation will make mass patch deployment very difficult and will leave webmasters to fend for themselves.

“Check [to see] if any of the blogs you host use timthumb.php, and upgrade to the latest version. The dodgy strpos [php function] has been replaced with a tighter match based on a regular expression,” advises Paul Ducklin, head of technology for Asia Pacific at security firm Sophos.

We are a premiere full service Philadelphia, Pa. and New Jersey based Website Design and Web Development company offering custom affordable Website, Web Hosting, SEO, Social Media and Internet Marketing Solutions! Experience, Integrity, Excellence..For All Your Computer Needs!!! Specializing in Small to Medium Business and Residential Clients. We also provide computer PC repairs, upgrades, service, onsite computer repair, remote computer repair and damaged laptop or notebook repair service in Pennsylvania and New Jersey. We service Microsoft Vista, Microsoft XP, Windows 7, 8 and OSX PCs and Macs. In the field of Technology Service Providers, it is often difficult for the customer to choose a qualified service provider who will do a great job at a fair price. We offer a 15% discount to all military personal and senior citizens. Contact Us Today at: Office: (215) 423-7610 Cell: (201) 290-4254 E-mail: TimMcGuire@njcomputerdoctors.com
Computer Doctors

One Response to WordPress blogs are at risk

  • Heidi Klum says:

    Congratulations on having among the most sophisticated blogs Ive come across in some time! Its just extraordinary just how much you are able to take away from something simply due to how visually beautiful it can be. Youve put together an excellent blog space –great graphics, videos, layout. This is definitely a must-see weblog!

EnglishFrenchGermanItalianPortugueseRussianSpanish
What We Do:

Computer Doctors specializes in PC Service & Repairs, Website Design & Web Development, WordPress Blog Development (CMS), Graphic Design, SEO, Social Media & Internet Marketing.


Contact Us Today - Pennsylvania: (215) 758-0990 New Jersey: (201) 290-4254 for more information or to set-up an appointment.


We are a premiere full service New Jersey/PA. - Based web site design company offering custom affordable web site solutions! Experience, Integrity, Excellence...


As well as looking great, all our sites are built for accessibility, so they reach the widest audience; no matter what the user’s browser, device, platform, operating system, connection speed or ability. You can have the highest standards without high prices.


We are also a full service cost-efficient, computer repair, service, & upgrade company. Computer Repair from Computer Doctors will provide professional computer service in your home or office, at a time that is convenient for you.

Calendar
September 2014
M T W T F S S
« Jul    
1234567
891011121314
15161718192021
22232425262728
2930  
Archives