Hackers attack zero-day flaw in WordPress themes

Hackers attack zero-day flaw in WordPress themes

Summary: A security hole in a widely used image resizing utility has exposed millions of WordPress blogs to malicious hacker attacks.

TOPICS: Browser

Malicious hackers have pounced on a zero-day vulnerability in a widely used image-resizing utility that ships with themes for the popular WordPress blogging platform.

The timthumb utility, used to handle cropping, zooming and resizing web images, is used by millions of blogs running certain themes and because it writes files into a directory during the image-resizing process, it can be used to launch web attacks.

Feedjit CEO Mark Maunder discovered the vulnerability during an audit of a successful attack on his own blog.follow Ryan Naraine on twitter

Eventually I found it. The hacker had done an eval(base64_decode(‘…long base64 encoded string’)) in one of WordPress PHP files. My bad for allowing that file to be writeable by the web server. Read on, because even if you set your file permissions correctly on the WordPress php files, you may still be vulnerable.

But what I really wanted to know was how the hell he wrote to a file on my machine.

I checked my nginx and apache access and error logs and eventually found a few PHP errors in the apache log that clued me in.

Turns out the theme I’m using, Memoir, which I bought for $30 from ElegantThemes.com uses a library called timthumb.php. timthumb.php uses a cache directory which lives under wp-content and it writes to that directory when it fetches an image and resizes it.

If you can figure out a way to get timthumb to fetch a php file and put it in that directory, you’re in.

Maunder has submitted a patch for the open-source utility and has posted detailed instructions for WordPress users to check and mitigate the vulnerability.

Topic: Browser

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE: Hackers attack zero-day flaw in WordPress themes

    Is timthumb.php something you would be downloading yourself or a plug in you would know you are using? I use Magazine Basic, free, and except for choosing the image size to insert in the gallery, do all my image editing before uploading to the gallery. I just size and position options in the gallery itself when inserting the image in the post.
    • RE: Hackers attack zero-day flaw in WordPress themes

      @barbsbooks Plugins can be integrated into themes in Wordpress. I mean you basically just copy the code. Pretty shameful of ElegantThemes.com to include something like TimThumb and not even mention it...
  • RE: Hackers attack zero-day flaw in WordPress themes

    Timthumb is actually pretty common in WordPress themes, WordPress just introduced the featured image functionality a while back, before that there were very few ways to dynamically display and resize images and timthumb end up as the method of choice. Overall, besides this issue, the script itself has improved greatly and can allow for a theme to dynamically pull the first image in a post and resize it to the proper dimensions for you. Since WordPress built the functionality in a few versions back, slowly theme developers are migrating away from it but it takes a good amount of recoding and its going to be a while before its obsolete.
  • RE: Hackers attack zero-day flaw in WordPress themes

    Fortunately, we don't use "timthumb", I searched timthumb.php on my site and there isn't!

    In fact, why this kind of flaw is called "zero day"? Are there other dangerous flaws?
  • RE: Hackers attack zero-day flaw in WordPress themes

    support@elegantthemes.com, Thu, Aug 4, 2011,
    subject: Important ElegantThemes Security Update
    You are receiving this email because you are an active member of ElegantThemes.com. In the past, our themes have used a popular image re-sizing script called Timthumb (http://www.binarymoon.co.uk/projects/timthumb/). The script is used by millions of sites and is quite popular in the WordPress themeing community. That being said, it was noted yesterday that a vulnerability exists within certain versions of the script (http://code.google.com/p/timthumb/issues/detail?id=212), and therefore this vulnerability may also exist in your theme (depending on when you last updated it). While that author has provided a fix, it is highly recommended that you update all of your EelgantThemes themes to their latest versions. The latest versions of our themes no longer utilize the timthumb script and therefore are not subject to this security hole.
  • underpricedhost.com

    yes i do see that it affected quite few wordpress blogs on our server underpricedhost.com