New WordPress security vulnerability through Timthumb

WordPress is very popular blogging tool thats used by 14.7% of Alexa’s top 1 million web pages and its of course the same tool we use to write these posts on. Because of its widespread use and popularity, it finds itself coming under attack pretty frequently.

One of the more recent attacks on it exploits the php script for Timthumb, an tool for image cropping and resizing. The attack works by mimicking a GIF image by using fake header data. This confuses the intrusion detection and prevention systems by making think its an image file and thus ignoring it. In reality though its a zip carrying malicious code. The attackers then obfuscate it further by encoding it and compressing it multiple times so that it can only work when decoded and uncompressed in the correct order.

The payload of this attack is usually some sort of code that opens a backdoor up on the server hosting the site. From there attackers can do what they want with the server and that usually mean making part of botnet.

This attack also goes beyond just WordPress because Timthumb is a common php script that’s used in many other applications too.

For protection against this attack, users can disable remote images or get further protection through something like Timthumb Vulnerability Scanner .


4 thoughts on “New WordPress security vulnerability through Timthumb

  1. Seeing and knowing how many sites allow users to upload images, including .gifs, makes this a huge threat. The fact that people can gain access to unprotected upload forms has always been there, but it’s never occurred to me that images could also be exploited.

  2. When the exploit was released and being sold, there were scripts that attackers could point and click at WordPress blogs and also used Google “dorks” to find vulnerable websites with minimal effort.

  3. Images are a form of infiltration that are not often thought of as a risk. You can store a significant amount of information in an image and have it pass off as being risk free and infiltrate a system.

  4. This is a brilliant opening attack. The hackers knew how much sites use that tool and they took advantage of the ability to change header files to open that backdoor to allow for further access. I applaud whoever thought of this, however on the other side of my mind I fear for my own safety due to the fact that we use this for our class posts.

Comments are closed.