Problem in WordPress – bigger problem in doing something about it…
Today the Avast anti-virus company is warning about a vulnerability in a WordPress image-resizer.
In early October, researchers from AVAST were contacted by several users via the CommunityIQ system that http://www.theJournal.fr, the online site for The Poitou-Charentes Journal, had been infected… The infection was the work of cybercriminals using the Blackhole Toolkit, a set of malware tools available on the black market. “TheJournal.fr and its readers were certainly not the only targets, this is a larger issue of WordPress security,” said Mr. Sirmer. We’ve registered 151,000 hits at one of the locations where this exploit redirected users. We also blocked redirects from 3,500 unique sites on August 28 – 31 – the first three days that this infection surfaced – that led to this exploit. During September, we blocked redirects from 2,515 sites and I expect October results will be similar.
Thing is, this vulnerability was found way back on 1 August by Mark Maunder:
An image resizing utility called timthumb.php is widely used by many WordPress themes. Google shows over 39 million results for the script name. If your WordPress theme is bundled with an unmodified timthumb.php as many commercial and free themes are, then you should immediately either remove it or edit it and set the $allowedSites array to be empty…
Eventually I found it. The hacker had done an eval(base64_decode(‘…long base64 encoded string’)) in one of WordPress PHP files. My bad for allowing that file to be writeable by the web server. Read on, because even if you set your file permissions correctly on the WordPress php files, you may still be vulnerable.
Zero Day Vulnerability in many WordPress Themes
And it was further discussed by Matt Mullenweg on 8 August:
Last week there was a serious flaw found in the code behind TimThumb, an image re-sizing library commonly used in premium themes. Because the code is commonly embedded in themes it’s not easy to discretely update like it would be if the code were a plugin, and even when a theme is updated people are hesitant to update because they often customize theme code rather than making child themes, so if they were to overwrite their theme with a new version they’d lose their modifications.
The TimThumb Saga
I don’t know how we do it, but somehow we need to convert researchers’ research into users’ use.