A patch for a zero-day vulnerability in TimThumb has been released by its developer who is none too pleased about this week’s disclosure on a popular security mailing list.
“Unfortunately nobody told me about this before the exploit was announced – in fact I found out about the bug through wptavern.com so I haven’t been able to look into a fix for it,” said Ben Gillbanks, a WordPress developer who wrote TimThumb.
This was a short time before the code in question in the WebShot feature was indeed updated and made available on Google Code.
Gillbanks wrote on his Binary Moon website that he no longer maintains TimThumb outside of attending to an infrequent security issue such as this one. The PHP-based image re-sizing software, which suffered a previous zero-day in 2011, is all but obsolete because WordPress supports post thumbnails.
“I haven’t used TimThumb in a WordPress theme since before the previous TimThumb security exploit in 2011,” he said.
Details on the previously unpublished vulnerability in the WebShot feature were published this week on the Full Disclosure mailing list. While WebShot is not enabled by default, WordPress themes, plug-ins and other third-party components could be at risk for remote-code execution attacks.
Web security company Securi said that the zero-day allows an attacker to remotely remove and modify files stored on a server, and can do so without authentication.
“First things first – most people using TimThumb don’t need to worry. The code is disabled by default, and even if it’s enabled you need to have two server side extensions installed to be able to execute it,” Gillbanks said.
Experts recommend disabling WebShot, if enabled, as a temporary mitigation. Securi said users can disable the feature by opening the timthumb file in a theme or plug-in for example, and set WEBSHOT_ENABLED to false.
Sites self-hosted on WordPress can use TimThumb to re-size image files such as .jpg or .png files.
Researcher Pichaya Morimoto, who disclosed the zero day, said version 2.8.13 is vulnerable, as well as the original WordThumb 1.07 project. WordPrss Gallery Plugin and IGIT Posts Slider Widget were also identified by Morimoto as possibly vulnerable, in additional to all themes from themify[.]me.
The previous TimThumb zero day was disclosed in August 2011; the vulnerability allowed hackers to execute PHP code in the TimThumb cache directory. The bug gave anyone remote write-access to the directory.