Wednesday, August 3, 2011

Wordpress bloggers: check your patches

If you blog on Wordpress, and use an image resizing utility called TimThumb, your blog is vulnerable to exploit:
An image resizing utility called timthumb.php is widely used by many WordPress themes. Google shows over 39 million results for the script name. If your WordPress theme is bundled with an unmodified timthumb.php as many commercial and free themes are, then you should immediately either remove it or edit it and set the $allowedSites array to be empty. The utility only does a partial match on hostnames allowing hackers to upload and execute arbitrary PHP code in your timthumb cache directory.
In other words, your readers could get malware served up to them via your blog.

There's a temporary fix here, a permanent one is coming.

2 comments:

Dave H said...

People passing around code like it was their own, no idea if it was tested or reviewed, scattering it like seeds on the ground. And equally gullible people picking it up and using it.

Kind of reminds me of the Free Love movement, with similar results.

Borepatch said...

Dave, it's not Free Love. It's Open Source.

;-)