Thursday, 26 June 2014

Zero-Day TimThumb WebShot Vulnerability leaves Thousands of Wordpress Blogs at Risk

TimThumb WebShot Vulnerability Wordpress exploit
Yesterday we learned of a critical Zero-day vulnerability in a popular image resizing library called TimThumb, which is used in thousands WordPress themes and plugins.

WordPress is a free and open source blogging tool and a content management system (CMS) with more than 30,000 plugins, each of which offers custom functions and features enabling users to tailor their sites to their specific needs, therefore it is easy to setup and use, that’s why tens of millions of websites across the world opt it.

But if you or your company are the one using the popular image resizing library called “TimThumb” to resize large images into usable thumbnails that you can display on your site, then you make sure to update the file with the upcoming latest version and remember to check the TimThumb site regularly for the patched update.

0-Day REMOTE CODE EXECUTION & NO PATCH
The critical vulnerability discovered by Pichaya Morimoto in the TimThumb Wordpress plugin version 2.8.13, resides in its “Webshot” feature that, when enabled, allows attackers to execute commands on a remote website.

The vulnerability allows an attacker to remotely execute arbitrary PHP code on the affected website. Once the PHP code has been executed, the website can be easily compromised in the way the attacker wants. Until now, there is no patch available for the flaw.

With a simple command, an attacker can create, remove and modify any files on your server,” says Security experts at Sucuri break in a blog post.

Using the following command, a hacker can create, delete and modify any files on your server:
http://vulnerablesite.com/wp-content/plugins/pluginX/timthumb.php?webshot=1&src=http://vulnerablesite.com/$(rm$IFS/tmp/a.txt) 
http://vulnerablesite.com/wp-content/plugins/pluginX/timthumb.php??webshot=1&src=http://vulnerablesite.com/$(touch$IFS/tmp/a.txt)
WHO ARE VULNERABLE
Unfortunately, there are hundreds of other Wordpress plugins and themes, those are using TimThumb library by default. Some of theme are:
1.) TimThumb 2.8.13 Wordpress plugin
1.) WordThumb 1.07 is also using same vulnerable WebShot code.
3.) IGIT Posts Slider Widget

4.) All Wordpress themes from Themify contains vulnerable wordthumb at “/themify/img.php” location.


The good news is that Timthumb comes with the webshot option disabled by default, so only those Timthumb installations are vulnerable to the flaw who have manually enabled the webshot feature.

CHECK AND DISABLE TIMTHUMB “WEBSHOT”
  1. Open timthumb file inside your theme or plugin directory, usually located at "/wp-content/themes//path/to/timthumb.php"
  2. Search for “WEBSHOT_ENABLED
  3. If the you find define ('WEBSHOT_ENABLED', true) , then set the value to “false”, i.e. define (‘WEBSHOT_ENABLED’, false)
Unfortunately, similar multiple security flaws were discovered in TimThumb in the past, leaving millions of WordPress powered websites vulnerable to attack.

Reference- http://thehackernews.com/

No comments:

Post a Comment