Skip to content
August 2, 2011 / David Bleeker

Zero-day bug found in WordPress image utility

Hackers are exploiting a problem with an image-resizing utility called TimThumb that is widely used in many themes for the blogging platform WordPress, although some fixes have been made to the latest version.

Mark Maunder, the CEO of Feedjit, discovered the problem when his own blog started loading ad content when previously his blog contained no ads. He blogged about the problem, tracing it to an issue with the “timthumb.php” library, which is used within the theme he purchased for his blog.

TimThumb is “inherently insecure” because it writes files into a directory when it fetches an image and resizes it. But that directory is accessible to people visiting the website, Maunder wrote. An attacker can compromise the site by figuring out how to get TimThumb to grab a malicious PHP file and put it in the WordPress directory. The code will be executed if an attacker then accesses the file using a Web browser. [read more]

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: