MSM|August 2, 2011| Author: Kim LaCapria|Tags: ,

WordPress Sites Threatened By ‘Zero Day’ Image Utility Bug

The most time-consuming, non-consensual game played in WordPress users’ free time has to be, hands down, “find the buggy plugin.” (If you’ve ever tearfully watched the sun rise as you suck down Dr. Pepper and sob as you sort through every plugin you’ve ever even thought about using, you know it well.)

A recent round of the unpopular yet widely played sport resulted in a find that could have negative implications for many WordPress-based sites when a big vulnerability was traced by an intrepid user to a popular, image based plugin on a theme purchased from a popular WP theme slinger. At least two sites have been compromised by the weakness that was found in the code for the oft-used image resizing utility TimThumb.

CEO of Seattle-based Feedjit Mark Maunder discovered the vulnerability after an unauthorized ad opened when he visited his own site. In a detailed blog post, Maunder explains what happened and how he addressed it:

Eventually I found it. The hacker had done an eval(base64_decode(‘…long base64 encoded string’)) in one of WordPress PHP files. My bad for allowing that file to be writeable by the web server. Read on, because even if you set your file permissions correctly on the WordPress php files, you may still be vulnerable…Turns out the theme I’m using, Memoir, which I bought for $30 from ElegantThemes.com uses a library called timthumb.php. timthumb.php uses a cache directory which lives under wp-content and it writes to that directory when it fetches an image and resizes it.

Lower down, in the comments, Ben Gillibanks- TimThumb’s creator- acknowledges the vulnerability and apologizes to users who may have been compromised by using the extension:

Hi all – I am the developer of TimThumb. I can’t apologise enough for this oversight in the code and hope nobody has anything too bad happen to their sites because of my error.

Mark has been really helpful in solving the issue and I have worked with him to harden up the script. At the moment the best fix is to simply use the latest version of TimThumb. There have been a stack of tweaks that will make the script harder to abuse.

I anyone wants to audit the code, or offer any help or suggestions for improving the security of TimThumb then I am all ears.

On Maunder’s blog, he explains how users can root out and eliminate the bad code. Has your site ever been compromised or otherwise affected by a similar WordPress-related vulnerability?