Sep 24, 2012

Timthumbs up!

Buying a ready-made wordpress theme couldn't be more easier nowadays. For us, buying a ready-made wordpress theme means helping ourselves from involving on the pain-in-the-butt tasks of designing wordpress theme from scratch.

However, some of the time, we might be a little bit unaware of list of plugins bundled with the theme. Even though it was mentioned by the theme sellers (but most of the time, not), we would care less about the version as we might see the plugins as just a small component of a big functional wordpress framework.

One of the obvious example is timthumb.php, a widely used plugin script in wordpress theme for cropping, zooming and resizing web images. Since August 2011, timthumb has known to contribute a disastrous number of compromised website. The number still increasing along with the timthumb that not-yet-to-be-patched inside the wordpress theme that not-yet-to-be-bought by unaware users.

On its earlier version (1.* - 1.32), timthumb is prone to a Remote Code Execution vulnerability, due to the script does not check remotely cached files properly. By crafting a special image file with a valid MIME-type, and appending a PHP file at the end of this, it is possible to fool timthumb into believing that it is a legitimate image, thus caching it locally in the cache directory[1]

Based on the code revision r141, we can see on line 668, the array of $allowedSites is not sanitize properly on strpos() function where attacker can craft bad website such as to make timthumb think it is one of the allowed sites to include in the content. On code revision r143, a simple patch of '/' at the end of allowed site fix the problem.

If you happened to buy an old wordpress theme (which also bundled with vulnerable timthumb), it is a good procedure to update the timthumb to the latest version on its repository. You can start by install a wordpress plugin called Timthumb Vulnerability Scanner to scan the existing timthumb and its version on your wordpress directory and inform you whether it is out-of-date and require update.