A new zero-day exploit affecting the TimThumb utility for WordPress has been found. The flaw is in the WebShot feature, and it allows for certain commands to be executed on the vulnerable website remotely, no authentication required.
In other words, with a simple command, an attacker can create, remove and modify any files on the server. Researches at Sucuri tested it out, and were able to remove a file in one case, and create one in another using the touch command.
“And you are not limited to only these two commands, as many others can be executed remotely (RCE),” the firm said in a blog post.
TimThumb allows WordPress developers to crop, zoom and re-size web image files like JPEGs easily for their blogs and other sites. It’s widely used and has been exploited in the past. In 2011, it was found to have a serious vulnerability in the form of a bug with the external image resize functionality that could be used to download and execute files. There was code in place that restricted downloads to a whitelist of clean sites, but it wasn’t strict enough and so a hole was found that could inject php onto the server.
In this case, Sucuri pointed out that TimThumb comes with the WebShot option disabled by default, thus limiting the security implications. Further, the flaw has been patched and the code updated in Google Code. But TimThumb’s creator, Ben Gillbanks, suggests a different path: not to use TimThumb at all.
“I haven’t written about TimThumb in a while,” said Gillbanks in a blog. “This is because I no longer maintain it (apart from times like now when these security things appear). Plus – there’s just better ways now. WordPress has had support for post thumbnails for ages now – and I use these all the time in my themes. I haven’t used TimThumb in a WordPress theme since before the previous TimThumb security exploit in 2011.”