Hackers attack zero-day flaw in WordPress themes

Summary:A security hole in a widely used image resizing utility has exposed millions of WordPress blogs to malicious hacker attacks.

Malicious hackers have pounced on a zero-day vulnerability in a widely used image-resizing utility that ships with themes for the popular WordPress blogging platform.

The timthumb utility, used to handle cropping, zooming and resizing web images, is used by millions of blogs running certain themes and because it writes files into a directory during the image-resizing process, it can be used to launch web attacks.

Feedjit CEO Mark Maunder discovered the vulnerability during an audit of a successful attack on his own blog.

follow Ryan Naraine on twitter

Eventually I found it. The hacker had done an eval(base64_decode(‘…long base64 encoded string’)) in one of WordPress PHP files. My bad for allowing that file to be writeable by the web server. Read on, because even if you set your file permissions correctly on the WordPress php files, you may still be vulnerable.

But what I really wanted to know was how the hell he wrote to a file on my machine.

I checked my nginx and apache access and error logs and eventually found a few PHP errors in the apache log that clued me in.

Turns out the theme I’m using, Memoir, which I bought for $30 from ElegantThemes.com uses a library called timthumb.php. timthumb.php uses a cache directory which lives under wp-content and it writes to that directory when it fetches an image and resizes it.

If you can figure out a way to get timthumb to fetch a php file and put it in that directory, you’re in.

Maunder has submitted a patch for the open-source utility and has posted detailed instructions for WordPress users to check and mitigate the vulnerability.

Topics: Enterprise Software


Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.