fbpx

Tim Thumb Zero Day Exploit

Damn you Tim Thumb!  angrily shakes fist at the screen 

If you weren’t warned already that the image processing script Tim Thumb was seriously damaging to the health of your website ( Tim Thumb is Evil ), another serious exploit has been found.

A new zero-day threat has been identified in the “Webshot” feature that the Tim Thumb script uses.

This feature is meant to be used to take a snapshot image of a website URL, however, a vulnerability has been found that allows attackers to add, delete or update any files on your server.

For example:

http://mysite.com/wp-content/plugins/myplugin/timthumb.php?webshot=1&src=http://mysite.com/$(rm$IFS/tmp/code.php)

This command removes a file from the temp folder of the site.

http://mysite.com/wp-content/plugins/myplugin/timthumb.php??webshot=1&src=http://mysite.com/$(touch$IFS/tmp/code.php)

This command creates a new file in the temp folder of the site.

Pretty much any OS command can be run which is huge exploit and very worrying.

Is Your Script Safe?

If you have the most recent version of the Tim Thumb script, the Webshot feature should be disabled by default.

However, as the script is usually bundled within WordPress themes and plugins, you’ll need to check and make sure.

You’re looking for the following line in the script:

define (‘WEBSHOT_ENABLED’, false);

If the defined variable above is set to true then your site could be open to attack so make sure you set it to false and save the script.

Where Is The Script?

Good question.  The default name of the script is thumb.php but we’ve also seen it called timthumb.php and tt.php.

The script is usually bundled in a WordPress (and other CMS’) theme or a plugin and may reside in a subfolder.

If you’ve got a VPS and access to SSH you can search for the script using the following command:

find / -name '*.php' -exec grep WEBSHOT_ENABLED {} \;

Limitations

The most recent v2.8.11+ versions of the script check to see if a couple of libraries exist on the server before the Webshot feature can be used.

These are CutyCapt and XVFP.

If these modules are not installed on the server, that limits your risk, however we would recommend still searching for and disabling the Webshot feature if you find any Tim Thumb scripts on your site.

Considering the amount of issues and exploits found with this script it should never be used and completely removed from the net.

Get Your Free Security Fundamentals eBook

Enhance your website security with this free, quick and easy to implement guide.

3d-cover
  • This field is for validation purposes and should be left unchanged.

Keep In Touch

Wil

Wil is a dad, consultant, developer, conference organiser, speaker and business mentor. He co-organizes the WordPress Sydney meetup group and has been on the orgnising committee for WordCamp Sydney since 2014. He speaks at many technical events and contributes to the WordPress open source project. His likes are chillies, craft beer and electrogravitics.

Comments are closed.

If You Enjoyed This Post
Join Our Newsletter
Give it a try, you can unsubscribe anytime.
Close