A security alert went out this week to people who are using WordPress to host websites. The problem emerged in the last few days with a third party plugin that is in common use. The wordpress plugin in question is called:TimThumb and is used to upload and resize files.
“Zero-day flaw in WordPress image utility allows to upload files and execute codes” via Hacker News.
The file in question can be identified by the name timthumb.php.
Mark Maunder who developed the plugin originally had his blog hacked and woke one day to find his blog compromised and showing adverts, which he does not run on his blog.
The fascinating technical details of the hack and how it took place can be found here.
After much hard work from Mark he managed to track down the hack and eliminate it. Essentially the hacker had used a backdoor to upload a file which was disguised as an image. The file was then executed, it then compiled itself into a program and installed further codes into the the header file of his theme.
The shocking thing is if you know how to search, one can find many websites that are open to this particular hacker exploit. Although the problem was not with WordPress in itself but the plugin which should have been written better. In a nutshell, Mark assigned full privileges to the folder where the images where being uploaded, full read and write access, chmod 777. Mark has since re-written the plugin and given it a new name: Wordthumb.php.
As Mark says:
“The ability for a site visitor to load content from a remote website and to make the web server write that remote content to a web accessible directory is the cause of the vulnerability in timthumb.php.”
The lesson here is beware third party plugins, if not properly written they can provide easy access to hackers who can then takeover your website for their own purposes. Also if you are running wordpress as CMS for your website check and double check for this file and if you find it get rid of it ASAP, then change all your passwords.
