TimThumb Vulnerability Bites Another Victim

For the second time in two years, Dan Tynans website, eSarcasm.com has been hacked, this time with code that redirected referrals from Google, Yahoo and other search engines to Viagra ad sites. After conducting a thorough security review with Code Garage.com, an online security scanning website similar to Securi, they discovered that the point of entry was with the zero-day Timthumb vulnerability discovered back in August of 2011.

Last August, a zero-day vulnerability affected TimThumb that allowed hackers to execute their PHP code on any site that was running it. As it turns out, the WordPress theme we bought for the site employs pieces of TimThumb code — including the flaws that were exploited.

Now we have to wait for the spammy search results to evaporate from Google’s cache before everything returns to normal.

Be sure to read the tips that Dan and his security adviser provides on protecting your site. Despite the vulnerability being patched soon after its discovery, sites are still becoming compromised. Because of the long tail effect and so many websites using WordPress these days, who knows when this point of entry will stop being taken advantage of.

16 Comments


  1. I guess this will be happening a long time into the future.

    Thanks for the link to http://codegarage.com/, I hadn’t heard of them before. Looks like an interesting service, although the “backups kept for 30 days” business seems a bit crappy. I’d want access to much older backups in case I didn’t notice a problem for more than 30 days (entirely possible if something subtle was altered).

    Report


  2. TimThumb exploits can be a pain in the ass. Took me nearly to weeks to really get to that bottom of it. And still, the problems only ended when I stopped using the script.

    Report


  3. i use/used a shell script that will download a fresh copy of timthumb for all sites that use it, was a way to replace it without a headache

    wget -q -O ~/newtim.php http://timthumb.googlecode.com/svn/trunk/timthumb.php
    find . -name “timthumb.php” -exec bash -c “echo patching {} && cp ~/newtim.php {}” \;
    rm ~/newtim.php

    Report


  4. This continues to expose issues with the THEME > PLUG-IN model that WordPress employs.

    If the core could handle a correlation between themes and the plug-ins, then frameworks and child-like functionalities could be updated without any harm to theme/template/core versioning.

    Sadly plug-in functionality is consistently overwritten by theme functionality, even when that has nothing to do with templating/front-end. It completely falls foul of the most basic MVC-type separation of data, formatting and processing. Thus almost every theme front-loads it’s functionality into the VIEW aspect rather than the CONTROLLER.

    For wordpress users who are not plugged in to the core or development, that makes it exceptionally difficult to keep both up to date and track of. In the short term (1 day) this was a TimThumb issue, in the long terms, it’s a WordPress Core issue about the management of it’s data. A decision that has completely gone the way of WP.com and bloggers.

    I’m secretly laughing because when I googled for an article I read which backed this up it came from “he who shall not be named” 14 months ago: http://kevinjohngallagher.com/2011/03/now-theme-disconnect/

    Report


  5. Hey Ryan –

    Peter from Codegarage here.

    We hear you. Longer backup retention periods in some form (i.e. daily backups to 30 days, monthly backups up to a year) is on our list, and I’m hoping we’ll have it implemented within the next 6 weeks or so. Thanks for having a look!

    Report


  6. Be sure to read the tips that Dan and his security adviser provides on protecting your site.

    I’m not familiar with the eSarcasm site, so it’s not obvious to me where on that site to find these tips you’ve mentioned—and there doesn’t seem to be a direct link to them in your article :-(

    Report


  7. This is why I stopped using the script all together. Why take the risk … it is always being updated, which is a pain and you are never sure if it is stable or not and for how long.

    Report



  8. Note: the Theme Check Plugin will also alert that a Theme is using TimThumb.

    This is the Plugin used by the Theme Review Team, and TimThumb alerts as a warning-level notice, which means that a Theme with TimThumb bundled won’t even pass the Theme Repository uploader script checks. Themes using TimThumb are no longer accepted in the official repository, so if you want to be certain that you are not vulnerable, I recommend using a Theme from the official repository.

    Report


  9. @Brian Krogsgard – It’s a little off topic, but there’s also a plugin called Theme Updater that will allow anyone who hosts their themes on Github to allow automatic updates through the use of Git Tags. That way any security patches can be fixed and pushed out even if the theme isn’t in the official Repo.

    I think that a non-repo third-party service that verifies themes that are deemed “safe” would be useful, especially since a lot of the best themes use non-GPL compliant parts (Shadowbox, Skeleton Framework, just to name a few)

    Report


  10. Lol. I was just contracted to clean a multi site (192 subblogs total) hit with the timthumb exploit not more than 5 days ago… Problem was an out of date script in the nivio slider plugin (outdated version)… I was astounded that people don’t update regularly.. or backup for that matter..

    Funny thing is, that after the site was infected, it ran probes on a long list of dreamhost accounts for the same timthumb exploit…

    Report


  11. if you have ever used Swift Theme you need to check you image folder. I discovered Tim Thumb files left behind after I deleted the theme.

    Report

Comments are closed.