TimThumb Strikes Again 0-day WordPress

Published by Torry Crass on

This is sadly not the first time this library has caused significant grief for WordPress CMS sites.  The last was back in the fall of 2011 and this latest 0-day is much the same, allowing server based, file level access across sites; possibly even servers depending on configuration.

The specific version cited is 2.8.13 with several other projects having the vulnerability as well.  The good news is that the function that allows this exploit is turned off by default. However, if you need that function, as of this posting, there is no patch or update to resolve this security hole other than disabling the WebShot function within TimThumb or temporarily restricting access at the file level.

If you do decide to modify the system, make sure you have good backups.

To find related files, you can execute the command below from an SSH/console prompt:

Simple Version:

find FILEPATHHERE -name timthumb.php

More Complex/Thorough Version:

find FILEPATHHERE -type f -wholename "*wp-content*" -name "*.php" -print0 | xargs -0 grep -Hl "TimThumb"

This will hopefully help you locate the files.  Once found, you can check them to see if they have an entry as follows:

define (‘WEBSHOT_ENABLED’, false);

If it does, you should be okay until an update is provided, if not, you should consider setting this variable to false immediately until a patch is released.

Another option is to change file permissions to timthumb.php or other affected files.  To change permissions (or rename if you are so inclined), you should be the owner of the file (or a superuser) and execute something like the following on each of the files:

chmod 000 FILENAME.PHP

I will post an update as soon as I hear that patches or fixes are available.


Leave a Reply