It was discovered yesterday that free, open source blogging site and Content Management System, WordPress, has a critical Zero Day vulnerability in Tim Thumb, one of their popular image resizing libraries. Tens of millions of website owners use WordPress and since it has more than 30,000 customizing plugins, it is unlikely that most of them even know if one of them is running the TimThumb plugin.
Website owners that utilize WordPress are being warned that the flaw allows hackers to execute commands on any website that has the latest TimThumb Webshot feature(2.8.13). Once an attack executes the PHP code, hackers would be able to delete, change, or even steal any files on your website. Luckily, TimThumb’s Webshot option is disabled in default mode, so if you haven’t specifically activated it, it isn’t going to be an issue. If you have, Hacker News has released this advice for solving the problem:
- Open timthumb file inside your theme or plugin directory, usually located at “/wp-content/themes//path/to/timthumb.php“
- Search for “WEBSHOT_ENABLED”
- If the you find define (‘WEBSHOT_ENABLED’, true) , then set the value to “false”, i.e. define (‘WEBSHOT_ENABLED’, false)”
This isn’t the first time TimThumb.php has suffered a vulnerability. Back in August 2011, thousands of sites were exploited by large sale attacks. There is currently no patch for this year’s vulnerability, but watch TimThumb’s site for an update.