Critical flaw in TimThumb plugin menaces the WordPress world

Pierluigi Paganini June 26, 2014

A critical vulnerability in the WebShot feature implemented by TimThumb plugin expose WordPress instance to Remote Code Execution attacks.

The popular image resizing library TimThumb used in many WordPress themes, 3rd party components and plugins is affected by a critical vulnerability which allows an attacker for certain commands to be remotely executed, without authentication, on the vulnerable website. The discovery of the critical vulnerability in the TimThumb plugin was made by Pichaya Morimoto (@u0x).
The critical flaw resides in the “Webshot” feature implemented by the TimThumb WordPress plugin version 2.8.13, experts at Securi blog published a blog post on the vulnerability explaining that with a simple command, an attacker can create, remove and modify any files on victims’ server. In the following examples it is demonstrated how to remove a file with an “rm” command and to create a new one with “touch” command:
http://vulnerablesite.com/wp-content/plugins/pluginX/timthumb.php?webshot=1&src=http://vulnerablesite.com/$(rm$IFS/tmp/a.txt)
http://vulnerablesite.com/wp-content/plugins/pluginX/timthumb.php??webshot=1&src=http://vulnerablesite.com/$(touch$IFS/tmp/a.txt)
and the list of commands that could be executed is long.
Fortunately TimThumb comes with the Webshot option disabled by default, this mean that TimThumb installations are vulnerable if it has been manually enabled the feature.
TimThumb plugin flaw2
WorldPress is the most used content management system (CMS) for blogging  platforms, it is open source and with tens thousand plugins that could respond to any user need. In the past, we have seen many times that attackers have exploited flaws in a plugin to compromise the entire website, it is a common practice for hackers that use this method to hit the websites.
Obtaining the control of a WorldPress instance, could allow attackers to damage the website itself with defacement, but the worst scenario is related to the recruiting of the compromised WordPress website for different kind of attacks, including DDoS and malware-based attacks.
The vulnerability is widespread, in fact hundreds of WordPress plugins and themes use TimThumb library by default, including the WordPress Gallery Plugin, the IGIT Posts Slider Widget and all WordPress themes from Themify.
To secure the WordPress installation it is necessary to disable the feature “Webshot” in the TimThumb plugin.
  • Open your TimThumb file inside your theme or plugin (e.g. usually/wp-content/themes//path/to/timthumb.php ) and search for “WEBSHOT_ENABLED”
  • If the you find define (‘WEBSHOT_ENABLED’, true) , then set the value to “false”, i.e. define (‘WEBSHOT_ENABLED’, false)

Check it asap!

Pierluigi Paganini

(Security Affairs –  TimThumb, WordPress)



you might also like

leave a comment