Zero day found in popular tool used by Word Press

Hackers are exploiting a zero day vulnerability in an image utility favoured by Word Press users that allows malicious code to be uploaded remotely.

DC John.

The flaw exists in the way the timthumb.php resizing tool fetches images from websites like Flickr and Photobucket. The utility runs only a partial check on hostnames meaning hackers could upload and execute arbitrary php code in the .php cache directory.

An attacker could upload files by including a php domain name in the hostname of a file which would be arbitrarily fetched by timthumb.php.

Feedjit chief executive officer Mark Maunde reported the flaw after his WordPress site was hacked. He posted details of a temporary fix which would disable some functionality of the image tool in order to close the vulnerability.

"The problem is the way the developer checks which domain he’s fetching from. He uses the PHP strpos function and if the domain string appears anywhere in the hostname, he’ll allow that file to be fetched," Maunde said.

"So if you create a file on a web server like so: http://blogger.com.somebadhackersite.com/badscript.php and tell timthumb.php to fetch it, it merrily fetches the file and puts it in the cache directory ready for execution.

"If your WordPress theme is bundled with an unmodified timthumb.php as many commercial and free themes are, then you should immediately either remove it or edit it and set the $allowedSites array to be empty."

Timthumb.php will be updated to reduce the potential for attack, developer Ben Gillbanks said.

Copyright © SC Magazine, Australia