Tuesday, December 20, 2011

Securing The TimThumb Script in Wordpress to Prevent Remote Code Execution

TimThumb Vulnerability is not a 0-day vulnerability anymore but there are still vulnerable Wordpress blogs today that are vulnerable to Remote Code Execution which is very risky.

Why this vulnerability is very risky and dangerous? Because it allows hackers to upload a backdoor in your website or deface your website. In fact, the self-proclaimed world’s no.1 hacker Gregory Evan’s blog was pawned with this kind of exploit. But we will not talk about Evan’s issue here whose name is flagged in Security Errata, our main topic is how to secure your TimThumb script if you have  a Wordpress blog that has timthumb.php.

How To Fix and Secure it:
1. Update to the latest version.

2. Omit flickr.com, picasa.com , img.youtube.com, upload.wikimedia.org, photobucket.com, imgur.com, imageshack.us, tinypic.com from this code:

$ALLOWED_SITES = array (        
                                  'flickr.com',         
                                  'picasa.com',         
                                  'img.youtube.com',         
                                  'upload.wikimedia.org',         
                                  'photobucket.com',         
                                  'imgur.com',         
                                  'imageshack.us',         
                                  'tinypic.com',     
                  );

3. Rename the TimThumb script and put some .htacess configuration or file on your sensitive folders just like how you secure an admin page.

4. Install security plugins.

5. Owh and make sure that the script have ALLOW_EXTERNAL line code set to false.

define ('ALLOW_EXTERNAL', FALSE);


You should update your blog or else you could end up like this:



About the Contributor:
Shipcode is a prolific blogger of ROOTCON and at the same time an InfoSec enthusiast from Cebu. He was inspired to join ROOTCON as part of the core team to share his knowledge in information security.  He encourages other like minded individuals to come forward and share their knowledge through blogging right here at ROOTCON Blog section.

ROOTCON is managed by like minded InfoSec professionals across the Philippines.  All rights reserved. Designated trademarks, brands and articles are the property of their respective owners.