TimThumb Plugin Contains Another Vulnerability, Websites at Risk

timthumbAccording to ArsTechnica and other sources, the WordPress plugin TimThumb had a “zero-day vulnerability” that “leaves many websites vulnerable to exploits that allow unauthorized attackers to execute malicious code.”

The vulnerability surfaced on June 24 and surrounded TimThumb, a plugin that helps you fiddle with web images. According to SECLists.org, TimThumb was “developed for use in the WordPress theme Mimbo Pro and since used in many other WordPress themes.” It’s widely used, which means plenty of sites could be at risk.

If you have the webshot option enabled, you’re reportedly at risk for an attack, ArsTechnica noted. The site gave the following words of advice to members of the WordPress community who were concerned that their websites would soon erupt into flames: “People who are unsure if their WordPress-enabled site is vulnerable should open the TimThumb file inside their theme or plugin directory, search for the text string ‘Webshot_Enabled,’ and ensure that it’s set to ‘False.'”

Your firewall, if you have one installed, might also help you combat the vulnerability, although ArsTechnica and other news sites recommended disabling the plugin until a fix was implemented. And, according to GrahamCluley.com, a fix was ultimately rolled out: “TimThumb Version 2.8.14 has now been released, fixing the vulnerability. It’s clear, however, that the developers are a little miffed that they weren’t informed about the vulnerability by the researchers who discovered it.”

A blog from Daniel Cid warned that hackers could do some serious damage on your system if the vulnerability is exploited. How? “With a simple command, an attacker can create, remove, and modify any files on your server,” Cid wrote. He promptly showed a command in which he removed a file and then created a new one.

An issue with TimThumb was reported in 2011 that involved “arbitrary file uploads,” according to David Dede. He explained, “Although this is a platform independent issue, it is specially an issue on WordPress, where a lot of theme authors choose to include scripts in themes without any extra security measures.” According to Softpedia, “thousands” of WordPress sites had issues related to TimThumb back in 2011, which probably left a rather salty taste in the mouths of many developers and website owners.

Whether the latest issue with TimThumb was exploited in any way remains to be seen, according to Softpedia. Besides, said the same site, the odds of the flaw resulting in any significant damage appeared to be slim: “Only administrators that activated it from the TimThumb script ran the risk of being plundered. Furthermore, even if enabled, executing the Webshot code requires two server-side extensions to be installed.”

all in one seo pack logoVulnerabilities related to WordPress are all too common. Take an issue found in recent weeks having to do with the All In One SEO Pack. What would happen if your account were infiltrated, you ask?

As PC World outlined at the time about the All In One issue, “One of the two flaws… can be exploited by a regular user, like an author or a subscriber, to modify a post’s SEO title, description, and keyword meta tags created by the plugin. If used maliciously, this could result in damage to a site’s search result ranking. However, the vulnerability can also be combined with a second flaw to inject malicious JavaScript code on the administrator control panel that would execute when the page is loaded.”

We can’t stress enough the importance of making sure all of your plugins, admin tools, and themes are as up to date as humanly possible. Otherwise, you’ll miss out on critical patches and fixes that will help protect you against malicious software and vulnerabilities. If you’re going to build a website, make sure to protect it