TimThumb Vulnerability – Your Blog Is Under Attack

A vulnerability in an obscure WordPress add-on script that was discovered in August is currently being used to compromise more than 1.2 million websites — and could be easily used to siphon data out of databases hosted on servers also hosting the compromised websites, security experts warned today.
Different than the many mass compromises of late that have been accomplished via SQL injection, this attack takes advantage of a local file inclusion (LFI) vulnerability that allows attackers to insert PHP shells onto Web servers that can be used as the jumping-off point for other attacks, including database hacks.

The vulnerability in question comes from the timthumb.php script, a photo-resizing utility used by many third-party WordPress plug-ins that allows hackers to write whatever content they point to as long as a few restrictions are met, says Mike Geide, senior researcher at Zscaler ThreatLabZ.

“For example, the utility might have as a check that you only pass it content from YouTube, but the check that it does will only make sure YouTube exists within the URL path, so you could create your own domain, youtube.com.evil.com, and it would pass that check, and then you could pass it phpshell.php,” Geide says. A recent blog post from researchers with Sucuri Security showed how they were tracking infections from the vulnerability. A Google search today found 1.2 million sites affected by the infection.

Not sure if any of the plugins or themes you have installed within your WP-Content directory contain the outdated version of TimThumb? Good news, THERE IS A SIMPLE PLUGIN that not only scans your content directory for the outdated version of the script, but also provides a link to quickly upgrade to the newer version. After installation, you’ll find the options page within the Tools menu. After running the scan on WPTavern for the first time, these were my results:

Plugin Working Preview:

This plugin is especially useful to those who have more than a few themes or an abundant number of plugins installed as it checks the entire contents of the WP-Content directory.  According to a post within the plugins support forum, it has not gone through specific testing with WordPress Multi-Site but the author sees no reason why it wouldn’t work.

So, download the plugin and use it for your own site protection from hackers.Hope this article helps you.;-)

Leave a Reply

Your email address will not be published. Required fields are marked *

*