Results 1 to 19 of 19
-
06-25-2014, 10:53 AM #1Web Hosting Master
- Join Date
- Nov 2004
- Posts
- 654
Wordpress TimThumb 2.8.13 WebShot Remote Code Execution (0-day)
Look's like there's a new TimThumb vulnerability out:
A new vulnerability has been announced in TimThumb, a library that many WordPress sites use to manipulate and display images. This vulnerability makes sites with a particular configuration of TimThumb vulnerable to arbitrary code execution attacks. These attacks are pretty serious, allowing the attacker to force your server to run any command they like. Usually, it’s not much work for an attacker to use an arbitrary code execution to gain complete control of the vulnerable server or network.
If this feels familiar, it should. A very similar vulnerability was found in TimThumb in 2011. That one was much more serious, because pretty much all sites using TimThumb were vulnerable. This time not so many people will be affected, because you have to have the plugin in a specific, non-default configuration to be vulnerable.
Also check:
http://seclists.org/fulldisclosure/2014/Jun/117
https://code.google.com/p/timthumb/i...&ts=1403690188█ Fusioned - http://www.fusioned.net
█ Enterprise & Semi-Dedicated Hosting | CloudLinux, cPanel, LiteSpeed, Acronis | PHP 5.6, 7.2, 7.3, 7.4 & 8.0
█ Fully Managed SSD KVM VPS & Dedicated Servers | CloudFlare & Acronis Partner | RIPE LIR
-
06-25-2014, 10:54 AM #2Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Beat me to it I opted to HSL first
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
06-25-2014, 10:55 AM #3Web Hosting Master
- Join Date
- Nov 2004
- Posts
- 654
Yeah, was just about to email you and then the email from HSL arrived
█ Fusioned - http://www.fusioned.net
█ Enterprise & Semi-Dedicated Hosting | CloudLinux, cPanel, LiteSpeed, Acronis | PHP 5.6, 7.2, 7.3, 7.4 & 8.0
█ Fully Managed SSD KVM VPS & Dedicated Servers | CloudFlare & Acronis Partner | RIPE LIR
-
06-25-2014, 11:11 AM #4Web Hosting Master
- Join Date
- Oct 2012
- Location
- Europe and USA
- Posts
- 991
Steven, making all timthumb.php files on the server non-executable does protect from the exploit, until a fix is published?
Code:for i in `locate timthumb.php`;do chmod -cv 000 $i;done
Of course the themes using timthumb.php will not be able to generate thumbnails, but this is a minor issue compared to the server and web sites security which is above all.★ NetworkPanda :: Web Hosting SSD Powered :: Reseller Hosting
★ Instant activation, fast servers, NVMe SSD disks, cPanel, Softaculous 1-click apps installer, daily backups
★ Multiple hosting locations: USA, Canada, France, UK, Germany, Italy, Spain, Poland, Finland
-
06-25-2014, 11:15 AM #5Junior Guru
- Join Date
- Jun 2002
- Location
- Long Beach, NY
- Posts
- 211
Thanks George for the post, and Steven for the HostingSecList email advisory.
I've scanned my servers and confirmed WEBSHOT_ENABLED defined as FALSE in all timthumb.php and thumb.php using the following -
Code:find . -type f \( -iname thumb.php -or -iname timthumb.php \) -exec grep -HP 'define ?\(.WEBSHOT_ENABLED' {} \;
Are there any other recommended measures to be taken?
Thanks.
-
06-25-2014, 11:20 AM #6Mostly Retired!
- Join Date
- Nov 2002
- Location
- Portland, Oregon
- Posts
- 2,992
Oh God not TimThumb again. I still occasionally come across sites that never got patched from the last time. Whee. Thx HSL
-
06-25-2014, 11:24 AM #7Web Hosting Master
- Join Date
- Oct 2012
- Location
- Europe and USA
- Posts
- 991
Another idea, finding all timthumb.php files and disabling WEBSHOT wherever it is enabled:
Code:for i in `locate timthumb.php`;do replace "\('WEBSHOT_ENABLED', true\);" "('WEBSHOT_ENABLED', false);" -- $i;done
yum install mlocate
updatedb
and run the above command again.Last edited by NetworkPanda; 06-25-2014 at 11:34 AM.
★ NetworkPanda :: Web Hosting SSD Powered :: Reseller Hosting
★ Instant activation, fast servers, NVMe SSD disks, cPanel, Softaculous 1-click apps installer, daily backups
★ Multiple hosting locations: USA, Canada, France, UK, Germany, Italy, Spain, Poland, Finland
-
06-25-2014, 11:30 AM #8Junior Guru
- Join Date
- Jun 2002
- Location
- Long Beach, NY
- Posts
- 211
@NetworkPanda - I'm not yet sure of the correct action here, but whatever action you take, you also need to scan for thumb.php. I'm not sure what other names might be used - I've heard "webthumb.php" is also possible but have never found any instances of that one.
-
06-25-2014, 11:36 AM #9Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
06-25-2014, 11:36 AM #10Web Hosting Master
- Join Date
- Oct 2012
- Location
- Europe and USA
- Posts
- 991
★ NetworkPanda :: Web Hosting SSD Powered :: Reseller Hosting
★ Instant activation, fast servers, NVMe SSD disks, cPanel, Softaculous 1-click apps installer, daily backups
★ Multiple hosting locations: USA, Canada, France, UK, Germany, Italy, Spain, Poland, Finland
-
06-25-2014, 11:51 AM #11Junior Guru
- Join Date
- Jun 2002
- Location
- Long Beach, NY
- Posts
- 211
-
06-25-2014, 12:00 PM #12Web Hosting Master
- Join Date
- Oct 2012
- Location
- Europe and USA
- Posts
- 991
No, PHP constants (configured with the define command) are not like variables which can be changed afterwards in other parts of the code. PHP constants are defined once and they can not be overriden elsewhere.
But even if it could be possible, searching all PHP files for "define('WEBSHOT_ENABLED', true);" and replacing it with "define('WEBSHOT_ENABLED', false);" should fix this too.★ NetworkPanda :: Web Hosting SSD Powered :: Reseller Hosting
★ Instant activation, fast servers, NVMe SSD disks, cPanel, Softaculous 1-click apps installer, daily backups
★ Multiple hosting locations: USA, Canada, France, UK, Germany, Italy, Spain, Poland, Finland
-
06-25-2014, 12:13 PM #13Junior Guru Wannabe
- Join Date
- Jan 2010
- Location
- London
- Posts
- 55
This should work though it will take a while:
Code:for i in `find /home -name \*\.php | egrep wp-content` ;do replace "\('WEBSHOT_ENABLED', true\);" "('WEBSHOT_ENABLED', false);" -- $i;done
NetHosted Ltd - UK based hosting solutions.
-
06-25-2014, 02:57 PM #14WHT Addict
- Join Date
- Jun 2002
- Posts
- 125
I'm not finding many installations (haven't found any yet) with this enabled, it seems. Could be a good sign... hopefully.
* GeekStorage.com: Affordable, Performance Web Hosting
* WHM/cPanel Shared Hosting, SSD Virtual Private Servers, and Dedicated Servers
* CloudLinux, LiteSpeed, MariaDB, and SpamExperts
* @GeekStorage
-
06-25-2014, 03:06 PM #15Junior Guru
- Join Date
- Jun 2002
- Location
- Long Beach, NY
- Posts
- 211
-
06-25-2014, 03:21 PM #16Junior Guru Wannabe
- Join Date
- Jun 2014
- Location
- Rowley, MA
- Posts
- 67
Annnd I'll just go add Syria, Lebanon, and Iran to the firewall for a couple weeks...
█ Neil Hanlon | Support Analyst
█ 888-X10-9668 - neil[at]x10hosting.com
█ R1Soft licenses available - r1softlicenses.com
█ Shared and VPS hosting - x10premium.com \ x10vps.com
-
06-25-2014, 11:20 PM #17New Member
- Join Date
- May 2013
- Posts
- 4
In the Iranians really are oppressed.
America only wants to be dominated
Iran is not scary.
-
07-17-2014, 03:41 AM #18
I think Webshot_enable is disabled by default.
Only old themes use TimthumbDewlance® Shared/Reseller/Master Reseller - US/UK/EU/FRK/CA - SSD
WHMCS ReadyMadeKB - Tutorials for cPanel/InterWorx/Softaculous& Growing..
DemoTiger.com - Buy Demo Videos for your Hosting Company
-
07-18-2014, 05:29 AM #19Junior Guru
- Join Date
- Apr 2003
- Location
- Los Angeles, CA
- Posts
- 245
Just FYI to all, I have seen other plugins use the filename 'img.php' for the Timthumb script.
One in particular I recently came across using this filename is a popular paid plugin (developed by an Elite Author at ThemeForest) that is still using TimThumb 2.8
I've sent a few emails to the author in hopes that they update asapSam Jadali | Host Duplex
sam.jadali [@] hostduplex.com
Premium Shared, Reseller, & XenServer VPS Web Hosting
Chicago, IL & Los Angeles, CA | http://www.hostduplex.com
Similar Threads
-
Apache/PHP 5.x Remote Code Execution Exploit
By k0nsl in forum Hosting Security and TechnologyReplies: 0Last Post: 10-29-2013, 09:15 PM -
WordPress Security: Update your timthumb
By Gabe_GoDaddy in forum Hosting Security and TechnologyReplies: 9Last Post: 08-18-2012, 04:24 AM -
PHP-CGI advisory (CVE-2012-1823) - remote code execution bug
By Steven in forum Hosting Security and TechnologyReplies: 2Last Post: 05-03-2012, 09:50 PM -
IMAP4rev1 Remote Code Execution
By david510 in forum Dedicated ServerReplies: 3Last Post: 01-02-2006, 06:08 AM