While no website on the Internet can be deemed 100% safe from hackers, lately, sites based on the WordPress platform have received more than their fare share of such intrusions. WordPress is the most widely adopted Content Management platform, with millions of blogs and websites based on this platform. The relative ease of setup and administration has made the platform quite popular. This is also probably the reason why it is attractive to malicious or opportunist attackers because of the large “target market” available.
Most people think that it is when your website is defaced that your site has been hacked. Far from it. Hackers have varied intents and purposes for hacking sites. Some are just plain malicious. Most script kiddies fall into this class. Script kiddies are largely unskilled hackers testing out information or tools gleaned from the Internet with no real skills on how things work. However, most do it for financial gains, with malicious intents, activism, curiosity or just plain fun!
Usually, these hackers try to exploit loop-holes in the software coding of the wordpress platform, usually, to gain administrative access to the site and unleash whatever their malicious intents may be. Over the years, wordpress has improved significantly on making the platform very secure. However, the same can not be said of third party softwares, called plugins, that is a necessary addon to these websites.
One such script is TimThumb.
TimThumb is a PHP script used for cropping, zooming and dynamically resizing images on websites. While TimThumb can be used on any website, it is ideal for blogs and other websites who use templates and themes (self hosted WordPress blogs, for example). Using TimThumb, you can dynamically fetch a cached copy of an image and proportionally resize it to fit in your blog template. Thumbnails, profile picture of users and signature images are typical examples where TimThumb script is used. Whilst TimThumb has found a home in WordPress themes, it is by no means limited to them – TimThumb can be used on any website to resize almost any image.
TimThumb is usually embedded in most premium themes or plugins. There are a lot of parameters which can be used with TimThumb, it depends on the requirements of your website and how you want to scale internal as well as external images.
Once your script is in place, it will continue to work in the background and store a copy of your images in the cache folder. So if you are scaling a really large image to, say, 100 X 100 using TimThumb, an exact match copy of the image will be saved in the cache folder. This image will be shown to your website visitors.
And here is how the TimThumb vulnerability goes to work.
Since the cache directory is public and is accessible to anyone visiting the website, an attacker can compromise your site by figuring out a way to get TimThumb to fetch a PHP file and put that file in the same directory. Now since the cache directory is preconfigured to execute any file ending with a .PHP extension, you are trapped.
So how do I know if I’m at risk?
Almost everyone using the TimThumb library that downloaded it before August 1, 2011 is likely at risk. If you are not sure if you are using TimThumb, the easiest way to check is to look through your theme folders for a file called timthumb.php or thumb.php. This can be done using an FTP program or the file browser in your CPanel. You may also use the Timthumb Vulnerability Scanner plugin.
Thankfully, there is a fix.
You may delete all instances of timthumb.php in your theme. Deleting the TimThumb script may break certain themes, or at least affect how they manage and display images. But if you need the TimThumb script running on your site, upgrade to the latest version. However, if you find some merit in the many discussions about the safety – or lack thereof – of allowing any scripts on your server to access data from third party sites, then delete the file.