The timthumb utility, used to handle cropping, zooming and resizing web images, is used by millions of blogs running certain themes and because it writes files into a directory during the image-resizing process, it can be used to launch web attacks.
Feedjit CEO Mark Maunder discovered the vulnerability during an audit of a successful attack on his own blog.
Eventually I found it. The hacker had done an eval(base64_decode(‘…long base64 encoded string’)) in one of WordPress PHP files. My bad for allowing that file to be writeable by the web server. Read on, because even if you set your file permissions correctly on the WordPress php files, you may still be vulnerable.
But what I really wanted to know was how the hell he wrote to a file on my machine.
I checked my nginx and apache access and error logs and eventually found a few PHP errors in the apache log that clued me in.
Turns out the theme I’m using, Memoir, which I bought for $30 from ElegantThemes.com uses a library called timthumb.php. timthumb.php uses a cache directory which lives under wp-content and it writes to that directory when it fetches an image and resizes it.
If you can figure out a way to get timthumb to fetch a php file and put it in that directory, you’re in.
Maunder has submitted a patch for the open-source utility and has posted detailed instructions for WordPress users to check and mitigate the vulnerability.