Zero-Day TimThumb WebShot Vulnerability leaves Thousands of WordPress Blogs at Risk
The critical vulnerability discovered by Pichaya Morimoto in the TimThumb WordPress plugin version 2.8.13, resides in its “Webshot” feature that, when enabled, allows attackers to execute commands on a remote website.
The vulnerability allows an attacker to remotely execute arbitrary PHP code on the affected website. Once the PHP code has been executed, the website can be easily compromised in the way the attacker wants. Until now, there is no patch available for the flaw.
[adsense size='1']
“With a simple command, an attacker can create, remove and modify any files on your server,” says Security experts at Sucuri break in a blog post.
Using the following command, a hacker can create, delete and modify any files on your server:
https://vulnerablesite.com/wp-content/plugins/pluginX/timthumb.php?webshot=1&src=https://vulnerablesite.com/$(rm$IFS/tmp/a.txt)
https://vulnerablesite.com/wp-content/plugins/pluginX/timthumb.php??webshot=1&src=https://vulnerablesite.com/$(touch$IFS/tmp/a.txt)
WHO ARE VULNERABLE
Unfortunately, there are hundreds of other WordPress plugins and themes, those are using TimThumb library by default. Some of theme are:
1.) TimThumb 2.8.13 WordPress plugin
1.) WordThumb 1.07 is also using same vulnerable WebShot code.
3.) IGIT Posts Slider Widget
4.) All WordPress themes from Themify contains vulnerable wordthumb at “/themify/img.php” location.
The good news is that Timthumb comes with the webshot option disabled by default, so only those Timthumb installations are vulnerable to the flaw who have manually enabled the webshot feature.
[adsense size='1']
CHECK AND DISABLE TIMTHUMB “WEBSHOT”
- Open timthumb file inside your theme or plugin directory, usually located at "/wp-content/themes//path/to/timthumb.php"
- Search for “WEBSHOT_ENABLED”
- If the you find define ('WEBSHOT_ENABLED', true) , then set the value to “false”, i.e. define (‘WEBSHOT_ENABLED’, false)
Unfortunately, similar multiple security flaws were discovered in TimThumb in the past, leaving millions of WordPress powered websites vulnerable to attack.
Gloss