Tuesday, December 20, 2011
Securing The TimThumb Script in Wordpress to Prevent Remote Code Execution
Posted by
Shipcode
at
20.12.11
Labels:
backdoor shells,
remote code execution,
security,
timthumb vulnerability,
wordpress
TimThumb Vulnerability is not a 0-day vulnerability anymore but there are still vulnerable Wordpress blogs today that are vulnerable to Remote Code Execution which is very risky. 
Why this vulnerability is very risky and dangerous? Because it allows hackers to upload a backdoor in your website or deface your website. In fact, the self-proclaimed world’s no.1 hacker Gregory Evan’s blog was pawned with this kind of exploit. But we will not talk about Evan’s issue here whose name is flagged in Security Errata, our main topic is how to secure your TimThumb script if you have a Wordpress blog that has timthumb.php.
Why this vulnerability is very risky and dangerous? Because it allows hackers to upload a backdoor in your website or deface your website. In fact, the self-proclaimed world’s no.1 hacker Gregory Evan’s blog was pawned with this kind of exploit. But we will not talk about Evan’s issue here whose name is flagged in Security Errata, our main topic is how to secure your TimThumb script if you have a Wordpress blog that has timthumb.php.
How To Fix and Secure it:
2. Omit flickr.com, picasa.com , img.youtube.com, upload.wikimedia.org, photobucket.com, imgur.com, imageshack.us, tinypic.com from this code:
$ALLOWED_SITES = array (
                                  'flickr.com',         
                                  'picasa.com',         
                                  'img.youtube.com',         
                                  'upload.wikimedia.org',         
                                  'photobucket.com',         
                                  'imgur.com',         
                                  'imageshack.us',         
                                  'tinypic.com',     
                  );
3. Rename the TimThumb script and put some .htacess configuration or file on your sensitive folders just like how you secure an admin page.
4. Install security plugins.
5. Owh and make sure that the script have ALLOW_EXTERNAL line code set to false.
You should update your blog or else you could end up like this:
4. Install security plugins.
5. Owh and make sure that the script have ALLOW_EXTERNAL line code set to false.
define ('ALLOW_EXTERNAL', FALSE);
You should update your blog or else you could end up like this:
About the Contributor:
Shipcode
 is a prolific blogger of ROOTCON and at the same time an InfoSec 
enthusiast from Cebu. He was inspired to join ROOTCON as part of the 
core team to share his knowledge in information security.  He encourages
 other like minded individuals to come forward and share their knowledge
 through blogging right here at ROOTCON Blog section. 
ROOTCON is managed by like minded InfoSec professionals across the Philippines. All rights reserved. Designated trademarks, brands and articles are the property of their respective owners.

 
 
 
 
 
 
 
 
 
