Old image resize script leaves 1 million Web pages compromised

Timthumb can still be attacked when found in unused WordPress themes

A serious code injection vulnerability affecting timthumb, a popular image resize script used in many WordPress themes and plugins, has been exploited in recent months to compromise over 1 million Web pages.

Estimating the impact is not an easy task, according to website integrity monitoring vendor Sucuri Security, which monitored the fallout of this flaw since it was first announced at the beginning of August.

The company's researchers have devised a method that involves using Google to search for compromised pages where the malicious code malfunctioned.

"If you are familiar with PHP/WordPress, you'll notice that [the attack] is adding the output of this function (counter_wordpress, which calls 91.196.216.30/bt.php) to the header of the compromised site," Sucuri Security's David Dede said.

"Everything is OK, but what happens when the site 91.196.216.30 goes down? If the site has display_errors enabled on PHP, this will show up: 'Warning: file_get_contents(http://91.196.216.30/bt.php?ip=IP&host=..'," he explained.

Searching for this error on Google returned over 1 million results and using filters for the last 30 days, returned over 200,000.

There are other factors to consider as well when trying to estimate the impact, like the fact that Google results correspond to compromised pages, not websites, as one website can have multiple pages infected. Also, not all servers have the display_errors feature enabled in PHP, which means no error will be outputted even if a site is affected.

It's also worth considering that Sucuri's method is used to estimate the impact of one particular attack. There's no telling how many websites compromised by different exploits targeting this vulnerability are out there. Dede believes that there could be a couple of million.

Webmasters should immediately replace the timthumb.php file bundled with their blog's themes or plugins with the latest version which is no longer vulnerable. However, it isn't enough to just patch currently active components, as leaving old timthumb versions anywhere on the server poses a similar threat.

"[Thousands] of sites were hacked because they had unused themes (or plugins) that included a vulnerable version of the script. Yes, in a lot of cases the script wasn't even enabled, it was just sitting there idle on the server," Dede said.

His recommendation is to remove old scripts or test accounts that are no longer necessary, because a new vulnerability that affects them can be identified at any time, and this doesn't apply only to WordPress blogs.

For example, many webmasters install a current version of phpMyAdmin, a popular Web-based database management tool, in order to perform a one-time task and then leave it on the server thinking it's patched up and password-protected.

Months later, someone can discover a vulnerability in that version and exploit it to inject malicious code in the underlying databases. This is not a theoretical attack. Compromises like this happen all the time and attackers use automated tools to search for vulnerable installations or crawl websites for default directories where these tools are usually located.

"Remove all unneeded software from the server. Even at rest, over time, the risk of being exploited is growing," Dede concluded.

Tags securityWordpressExploits / vulnerabilities

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?