14 DAY TRIAL // Three days ago, a zero-day vulnerability was discovered in TimThumb, a plug-in used in numerous blogs and applications designed to resize images. Today, the developers have released a fix that can be applied by updating to the latest version (2.8.14) of the utility.
TimThumb is a PHP script that can help with cropping, zooming and resizing JPG, PNG and GIF images into thumbs. Its versatility led to adoption in many WordPress themes.
The vulnerability affected the Webshot feature in TimThumb, which permits taking snaphots of web pages rendered as if grabbed from a web browser and then processes them into screenshots.
Exploiting the security flaw would allow a potential attacker to execute certain commands on the vulnerable website without requiring any authentication. Basically, the intruder would have access to the data stored on the server and be able to add malicious code to be served to unsuspecting visitors.
Daniel Cid of Sucuri has presented the code that could be used by cybercriminals to create and remove any files on the server using the -rm and -touch commands:
“http://vulnerablesite.com/wp-content/plugins/pluginX/timthumb.php?webshot=1&src=http://vulnerablesite.com/$(rm$IFS/tmp/a.txt)
http://vulnerablesite.com/wp-content/plugins/pluginX/timthumb.php??webshot=1&src=http://vulnerablesite.com/$(touch$IFS/tmp/a.txt)”
However, despite the gloomy scenario, the number of websites affected by the vulnerability was not too large because Webshot feature was in beta stage of development and was not enabled by default.
Only administrators that activated it from the TimThumb script ran the risk of being plundered. Furthermore, even if enabled, executing the Webshot code requires two server-side extensions to be installed.
Also, as soon as the word on the zero-day got out, the obvious fix was to disable the feature, which many hurried to do.
If updating to the latest version of TimThumb is not possible, it is advisable to check if the affected feature is turned on or off; simply open the TimThumb script and look for the “WEBSHOT_ENABLED” string. If found, make sure that it is set to “false.”
There is no information on whether the exploit provided on the Full Disclosure mailing list was successfully used in the wild.
It seems that the public disclosure of the exploit leveraging the security flaw took TimThumb developers by surprise as they received no information about it.
Back in 2011, TimThumb’s security holes were exploited and thousands of WordPress websites were compromised; this was carried out with the Blackhole toolkit that took advantage of the vulnerability in the PHP script and allowed uploading and executing malicious code in the cache directory, which downloaded other malicious files.