TimThumb WebShot Code Execution Exploit (0-day)
If you are still using Timthumb after the serious vulnerability that was found on it last year, you have one more reason to be concerned.
A new 0-day was just disclosed on TimThumb’s “Webshot” feature that allows for certain commands to be executed on the vulnerable website remotely (no authentication required). With a simple command, an attacker can create, remove and modify any files on your server. For example:
http://vulnerablesite.com/wp-content/plugins/pluginX/timthumb.php?webshot=1&src=http://vulnerablesite.com/$(rm$IFS/tmp/a.txt)
http://vulnerablesite.com/wp-content/plugins/pluginX/timthumb.php??webshot=1&src=http://vulnerablesite.com/$(touch$IFS/tmp/a.txt)
In the first example, we were able to remove a file (rm command) and on the second example, create one (using the touch command). And you are not limited to only these 2 commands as many others can be executed remotely (RCE). The full disclosure is available here for anyone interested in more technical details.
Are you vulnerable?
The good news is that Timthumb comes with the webshot option disabled by default, so just a few Timthumb installations are vulnerable. However, you have to check if your timthumb file does not have this option enabled to prevent it from being misused. Open your timthumb file (inside your theme or plugin) and search for “WEBSHOT_ENABLED” and make sure it is set to “false”, just like this one:
define (‘WEBSHOT_ENABLED’, false);
If it is enabled, you have to disable it asap. Our research team is monitoring this vulnerability very closely and if we have any news, we will update in this post.
For our customers: Another piece of good news is that any website behind our website firewall is already protected automatically against this vulnerability.