1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Wordpress Zero Day

Discussion in 'BlackHat Lounge' started by trophaeum, Aug 3, 2011.

  1. trophaeum

    trophaeum Senior Member

    Joined:
    Dec 21, 2007
    Messages:
    1,189
    Likes Received:
    706
    just a thread to reference from the announcement, chat among yourselves in here about it

    http://www.blackhatworld.com/blackhat-seo/blackhat-lounge/announcements.html
     
    • Thanks Thanks x 21
    Last edited: Aug 3, 2011
  2. redstone.1337

    redstone.1337 BANNED BANNED Jr. VIP Premium Member

    Joined:
    Dec 30, 2009
    Messages:
    1,259
    Likes Received:
    999
    Thanks for posting this. Gotta check my sites.
     
  3. trophaeum

    trophaeum Senior Member

    Joined:
    Dec 21, 2007
    Messages:
    1,189
    Likes Received:
    706
    fwiw, all woothemes use it for a start, not sure who/what else, this is gonna be brutal
     
  4. SahL

    SahL Elite Member

    Joined:
    Jan 8, 2011
    Messages:
    1,594
    Likes Received:
    1,296
    Occupation:
    ★SEO expert and ★Sexpert
    Location:
    Bombay
    Home Page:
    ATTENTION : Hackers are using blogger and wordpress and other external sites to load the script.

    I recommend all BHW members having timthumb.php in their themes to :

    1 : update the timthumb.php from here : http://timthumb.googlecode.com/svn/trunk/timthumb.php (just copy and paste(replace))
    2 : edit and remove blogger,flicker,picasa,wordpress from // external domains.

    ----------------------------------------------------------------------------------------
    Its should then look something like this :
    -----------------------------------------------------------------------------------------
     
    • Thanks Thanks x 8
    Last edited: Aug 3, 2011
  5. trophaeum

    trophaeum Senior Member

    Joined:
    Dec 21, 2007
    Messages:
    1,189
    Likes Received:
    706
    yup, updating should work fine now, at least according to the svn commit log, i didnt dig into it much further yet, figured it should go up on bhw asap since you guys run a zillion wp sites among ya's
     
    • Thanks Thanks x 2
  6. alexsize

    alexsize Newbie

    Joined:
    Jun 3, 2009
    Messages:
    0
    Likes Received:
    0
    User must be registered.
    User must have the right to fill the image.
    Vulnerable only to the theme with file timthumb.php
    IMHO Tempest in a teapot.
     
  7. trophaeum

    trophaeum Senior Member

    Joined:
    Dec 21, 2007
    Messages:
    1,189
    Likes Received:
    706
    wpms/mu, user contributed content, theres still plenty of options here

    as for only themes with timthumb, go check, its a LOT of them
     
  8. cecle

    cecle Regular Member

    Joined:
    Jan 18, 2011
    Messages:
    211
    Likes Received:
    102
    So to clarify only themes that show timthumb.php in the editor interface are at risk? Just to make sure it can't have been placed elsewhere.
     
  9. SahL

    SahL Elite Member

    Joined:
    Jan 8, 2011
    Messages:
    1,594
    Likes Received:
    1,296
    Occupation:
    ★SEO expert and ★Sexpert
    Location:
    Bombay
    Home Page:
    If the script can be loaded by external sites, its still vulnerable as the updated

    Timthumb.php still has blogger, and wordpress.com as "Allowed external sites".

    Mostly themes which CAN auto-fetch Images from the post ,resize it , have timthumb.php.

    But i dont think that blogger or wordpress would provide php or other scripting support,

    so there might be another way by which they are breaking in :confused:
     
    • Thanks Thanks x 1
    Last edited: Aug 3, 2011
  10. trophaeum

    trophaeum Senior Member

    Joined:
    Dec 21, 2007
    Messages:
    1,189
    Likes Received:
    706
    you can use blogspot.com.mydomain.co.cc (or dyndns etc) in the exploitable ver, the allowed list checking code changed

    ug, my head isnt working so well atm, ill come back to the thread after dinner/caffeine
     
  11. IamNRE

    IamNRE Jr. VIP Jr. VIP Premium Member

    Joined:
    Aug 18, 2010
    Messages:
    4,663
    Likes Received:
    7,108
    Occupation:
    Generate Leads With FB Ads For Just $1
    Home Page:
    Noob alert!

    Is timthumb.php something all wordpress sites have installed or not? I have tried looking for the file in my ftp... no luck. :(
     
  12. SahL

    SahL Elite Member

    Joined:
    Jan 8, 2011
    Messages:
    1,594
    Likes Received:
    1,296
    Occupation:
    ★SEO expert and ★Sexpert
    Location:
    Bombay
    Home Page:
    Mostly themes which Can AUTO-Fetch Images from the post ,resize it , have timthumb.php.
    ----------------------------------------------------------------------------------------------------------
    As per my Knowledge mostly latest premium themes have it.

    eg as trophaeum said, all woothemes have it now.

    others would be elegant themes and many from theme forest.
     
    • Thanks Thanks x 1
    Last edited: Aug 3, 2011
  13. MarketerX

    MarketerX Regular Member

    Joined:
    Mar 7, 2010
    Messages:
    398
    Likes Received:
    120
    Whats the easiest way to see if a site is using this plugin??
     
    • Thanks Thanks x 1
  14. IamNRE

    IamNRE Jr. VIP Jr. VIP Premium Member

    Joined:
    Aug 18, 2010
    Messages:
    4,663
    Likes Received:
    7,108
    Occupation:
    Generate Leads With FB Ads For Just $1
    Home Page:
    Like MarketerX said,

    where is the typical location of this file on ftp?

    Is it under the current theme one is using? If so... I dont think I have it....tho not 100%...eeek
     
  15. ronywilliam

    ronywilliam Senior Member

    Joined:
    Jan 20, 2011
    Messages:
    1,150
    Likes Received:
    431
    Can somebody post a bit detailed guide to get around this? Or a fix?

    Edit: Gotcha. You just need to copy paste and save! thx
     
    Last edited: Aug 3, 2011
  16. SahL

    SahL Elite Member

    Joined:
    Jan 8, 2011
    Messages:
    1,594
    Likes Received:
    1,296
    Occupation:
    ★SEO expert and ★Sexpert
    Location:
    Bombay
    Home Page:
    Location would be only in theme files.

    In the wordpress dashboard Go to>appearance>>editor>

    search timthumb if not found its not there.

    -------------------------------------------------------------------------------------------

    in ftp you can go to your theme file (active theme)and look for timthumb.php if its not

    there ..it wont be anywhere else..so relax

    this little guide which i have written is all that you need :

    Code:
    http://www.blackhatworld.com/blackhat-seo/3092988-post4.html
    - SahL
     
    • Thanks Thanks x 5
    Last edited: Aug 3, 2011
  17. redstone.1337

    redstone.1337 BANNED BANNED Jr. VIP Premium Member

    Joined:
    Dec 30, 2009
    Messages:
    1,259
    Likes Received:
    999
    Use cPanel's search option at top right. Search "timthumb" and it will show you the location of all timthumb.php in your particular cPanel account.
     
    • Thanks Thanks x 3
  18. cbnoob

    cbnoob Senior Member

    Joined:
    Sep 27, 2010
    Messages:
    967
    Likes Received:
    455
    So where is timthumb.php? I can't find it in my sites. I use free wordpress themes for all sites now
     
  19. TNphoneman

    TNphoneman Senior Member

    Joined:
    Dec 15, 2010
    Messages:
    1,177
    Likes Received:
    695
    Your themes probably don't use it if it is not there. Normally you will find it in the folder for that theme.

    On another note the older Elegant Themes did use the timthumb but the newer ones do not. The have all been updated on the site but I just updated the php file instead of losing my modifications.
     
  20. TropicalSun

    TropicalSun Regular Member

    Joined:
    Apr 17, 2011
    Messages:
    258
    Likes Received:
    34
    Occupation:
    Perpetual innovator
    wow that reassuring! I don't allow for any users on my blogs but do use Woo themes! :eek:

    Hope everyone else doesn't have big problems with this though.