Timthumb PHP script opens hole in WordPress blogs
Timthumb.php is an open source image resizing utility which is used by many WordPress themes, but when it is included in a theme, it can be exploited to allow attackers to upload and execute arbitrary PHP code on the WordPress installation. Even the script author's own site was exploited through the script. The problem is that timthumb.php has an array of domains from which it allows files to be remotely loaded and resized, but it only checks for the presence of the domain in the URL it has been given, rather than where in the URL that domain name is.
Mark Maunder, who reported on the vulnerability, explained that this enables an attacker to create a URL such as http://blogger.com.evilhackersite.com/evilscript.php, pass that URL to the blog and have that file loaded into the system's cache where it can be accessed and executed by the attacker. In Maunder's case he found that an attacker had uploaded and installed an "Alucar Shell" on his site which was then used to inject ads into his site. Maunder reported the bug which he believes could affect up to 38 million sites which make use of some version of the timthumb script. The script does not need to be being actively used to be exploitable, just externally callable.
The latest version(direct download) of Timthumb.php has fixes for the issue, using a regular expression to validate URLs rather than the strpos function. In the process of investigation and fixing that bug however, other security issues – such as where timthumb saves files (under the WordPress root) and how the ALLOW_EXTERNAL option does not block external file transfer – have been brought to the developer's attention and more fixes may be required.
Updating to the latest version is recommended but if this is not possible, one workaround is to edit all copies of the timthumb.php script and remove all site references from the allowed_sites array. This will stop the script downloading files from other sites, but it will still be able to resize local image files. Maunder's blog gives instructions on how to implement this workaround and how to clean up a WordPress blog after a typical attack. Another option is, of course, to remove all copies of timthumb.php from the WordPress installation as any script which externally imports content from another site is a potential risk.
(djwm)