TimThumb Vulnerability
Recently, a new vulnerability has reared its ugly head on many WordPress installs, which has allowed hackers to do damage and wreak havoc. One of my clients was unfortunately a victim of the problem, so I’ve been looking into it and wanted to pass along what I’ve learned. Hopefully you can proactively secure your own WordPress installation and save yourself some headaches.
Note: this problem is not limited to ONLY WordPress, but since the file in question is heavily used in many popular WordPress themes, I’m focusing primarily on that. If your site uses a third-party theme on another CMS, eCommerc or Blog platform, you should also be aware of this issue.
The file in question is called TimThumb.php and is a small script that is used for automatically resizing images when uploading them or importing them from another site. The file is usually embedded in your theme, and you probably don’t even know it is there. However, due to a vulnerability in this small script, hackers are using it to infiltrate websites and embed malicious code into files on the site.
The most common way to know if your site has been compromised is a sudden disappearance of your site, replaced by the following error message:
Warning: Cannot modify header information – headers already sent by (output started at /home/user/public_html/wp-settings.php:332) in /home/user/public_html/wp-includes/pluggable.php on line 934
This code actually is telling you that the wp-settings.php file has been compromised, and a quick fix to get your site back online is to remove the extra blank lines at the bottom of the file. However, you aren’t out of the woods and will need to do cleanup, including upgrading the timthumb.php file, replacing your wp-settings.php file (and most likely other files too) with a clean version, and possibly restoring your site/database to an earlier backup. Your webhost might be able to help you in the event you find yourself in this predicament. You should also notify the theme developer and make sure they are working on (or have released) a patch to fix the problem. You’ll also need to check your user directory to make sure no suspicious users are registered (especially as administrators) and delete any users who could be hackers. Also, change your password.
You can find the latest version of the timthumb.php file here: http://timthumb.googlecode.com/svn/trunk/timthumb.php. You can also find some helpful information here if you are trying to clean up from a compromised site: http://markmaunder.com/2011/08/01/zero-day-vulnerability-in-many-wordpress-themes/.
Hopefully you haven’t had a problem, but it is prudent to be proactive to prevent any problems. Here are some suggestions for protecting your WordPress installation from issues:
- Backup your WordPress site regularly. Most of my clients already should have backup plugins running on your install. Use it regularly!
- Make sure you are running the most recent version of WordPress and keep your plugins updated too.
- Completely remove any plugins and themes you are no longer using. Even a non-active theme can have a vulnerable file in it, and can create a problem (this was the case with my client, actually. The hackers got in from an OLD theme that we weren’t even using)
- Check in with your theme developer to make sure you are running the latest install and that if your theme uses the timthumb.php file, you have the updated fix for it.
- Change your passwords regularly, and please don’t use easy passwords. Choose a RANDOM combination of alpha/numeric characters, and add in some upper case, lower case and symbols to keep things hard to guess. If you are using your dog’s name as your password, stop doing that!
According to latest news on the TimThumb vulnerability, there will be an all new rewrite of this functionality that will need to be installed in themes using it. Stay tuned for updates on this subject, as I’ll be watching for any changes that might affect our installs.
Theatrium Design clients can always drop me a line if you want me to check over your website for vulnerabilities. Open Source solutions are great for small businesses, but there is always the risk of security breaches. Please practice safe web out there and be careful!
