twitter facebook rss

A new exploit for TimThumb – widely used in WordPress

Posted by on June 26, 2014.

Last week there was a serious flaw found in the code behind TimThumb, an image re-sizing library commonly used in premium themes. Because the code is commonly embedded in themes it’s not easy to discretely update like it would be if the code were a plugin, and even when a theme is updated people are hesitant to update because they often customize theme code rather than making child themes, so if they were to overwrite their theme with a new version they’d lose their modifications.
Matt Mullenweg

Mullenweg actually wrote this just under three years ago; but he could have written it today. Not last week, but earlier this week, a new exploit for TimThumb, the image re-sizer embedded in many WordPress themes, was published. This exploit is every bit as dangerous as the earlier one, but with one saving grace. It requires a TimThumb feature called ‘webshot’ to be enabled, where by default it is disabled.

Ryan Dewhurst, RandomStorm

Ryan Dewhurst, RandomStorm

“The latest TimThumb vulnerability is very serious,” Ryan Dewhurst, a senior security engineer at RandomStorm, told me by email. “It allows attackers to run commands remotely on the vulnerable sites (Remote Command Execution). However, for the vulnerability to be exploited a feature called ‘webshot’ needs to be enabled, and fortunately this feature is disabled by default.”

Dewhurst did some quick research and came to the conclusion that the number of sites vulnerable to this exploit is actually “very small.” Nevertheless, if he can do the research, so can the criminals – and that small number of vulnerable sites will soon be found. “It is recommended,” he continued, “that you check your own timthumb files to verify that this feature is disabled until a patch is released, at which time it is advised to update timthumb.”

And that’s where Mullenweg’s original warning comes into play – the very nature of WordPress (easy to use and therefore widely adopted by non-techies) makes it likely that many users won’t even know if they are using TimThumb and certainly won’t know how to check the code. And even when an update is released, there will be many who are too afraid to apply it.

There is one possible tell. If you get an error message saying the resized image is not a valid image, it could indicate the presence of the exploit. The only problem, of course, is that it’s now too late – you’ve already been had.

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: News, News_vulnerabilities | Tags: , , ,