TENS OR HUNDREDS OF THOUSANDS of WordPress installations are at risk of being compromised because of a critical vulnerability in a popular third-party image manipulation script called timthumb.
The affected image utility is not part of the main WordPress package, but is incorporated in many popular WordPress themes. The script consists of a single file called timthumb.php and facilitates on-the-fly image cropping, zooming and resizing.
Timthumb defines a white list of remote domain names from which images can be fetched by default, which include popular image hosting web sites like Flickr.com, Picasa.com, Blogger.com, WordPress.com, Photobucket.com and others.
However, the script fails to validate these domain names properly, so it lets files be fetched from nasty hosts that include those strings in their URLs. For example, files from “http://flickr.com.maliciousdomain.com” are accepted because “flickr.com” is in the URL, even though it is not the actual domain name.
And since fetched files are stored in a cache directory before processing, the vulnerability opens a back door through which malicious attackers can upload and execute PHP shells on the server.
“Timthumb.php is inherently insecure because it relies on being able to write files into a directory that is accessible by people visiting your website. That’s never a good idea,” warned Feedjit CEO Mark Maunder, who discovered the flaw when his blog was hacked.
Searching on Google for the script’s file name returns over 39 million results. That is not the actual number of vulnerable websites, but if even ten per cent of those are individual blogs, the flaw’s impact is still huge.
WordPress vulnerabilities have been exploited in the past to inject malicious code into blogs that directed their visitors to malware. However, this vulnerability is even more serious because deploying a patch for it will not be easy.
There are currently a large number of outdated and vulnerable WordPress installations, even though the platform offers a simple update mechanism and its developers quickly patch any security issues.
In comparison, WordPress themes are rarely updated and do not benefit from the same type of support from their creators. This fragmentation will make mass patch deployment very difficult and will leave webmasters to fend for themselves.
“Check [to see] if any of the blogs you host use timthumb.php, and upgrade to the latest version. The dodgy strpos [php function] has been replaced with a tighter match based on a regular expression,” advises Paul Ducklin, head of technology for Asia Pacific at security firm Sophos.