FutureQuest, Inc. FutureQuest, Inc. FutureQuest, Inc.

FutureQuest, Inc.
Go Back   FutureQuest Community > General Site Owner Support (All may read/respond) > Open Discussions
Reload this Page WP theme vulnerabilties / TimThumb
User Name
Password  Lost PW

 
 
Thread Tools Search this Thread Display Modes
Prev Previous Post   Next Post Next
Old 09-11-2011, 01:43 PM   Postid: 180409
kitchin
Site Owner

Forum Notability:
1202 pts: A True Crowd-pleaser!
[Post Feedback]
 
Join Date: Jan 2001
Location: Virginia
Posts: 3,021
WP theme vulnerabilties / TimThumb
Who keeps Wordpress themes up to date? Or removes unused ones? The WP version updates are always to wp-admin and wp-includes. Themes live in wp-content. A colleague started getting browser alerts about malware on their sites, sporadically (not hosted at FQ by the way). Turns out this thing is called the TimThumb vulnerability and it installs a password grabber via uploading PHP as image files. It temporarily installs a whole shell emulator written in PHP. TimThumb has been blamed, rightly, and though its (freeware) developer has now updated the timthumb.php file, some theme places have stopped using the file completely.

Delete or update any timthumb.php files!

The malware looks for timthumb.php, even in themes you do not have active! Updating themes is not so easy, because you have to carve out previous customizations. So far Elegant Themes, a paid service, has been unwilling to provide me with archived versions of their themes so I can do diffs without bugging my customer, "Do you have that zip file you downloaded five year ago?"

If you see any date changes to wp-admin.php, jquery*.js, l10n.js, or if upd.php appears, check out the WP forums for more info on TimThumb. The infected files will contain "CURL_OPT" (php) or "0x4de4" (js), and will have recent dates. So it's easy to find, but the next time could be worse.

The fact that WP themes contain PHP files, and that they are even editable from the admin interface, makes this vulnerability another reason to appreciate the wall FQ puts between shared hosting accounts, PHP Secure_Mode.

Another good practice is to delete wp-admin and wp-includes completely when updating WP. It would not fix timthumb.php, but it could remove some if its previous damage. The sites were hosted with a host that has SimpleScripts, allowing one-click installs & updates of WP. Well, the one-click updates do not remove old cruft in those two directories! FQ does not offer one-click WP, but the FQ hosting environment does allow one-click updates from within WP to work (in contrast to some other hosts). I haven't checked whether WP's update code removes cruft.
kitchin is offline   Reply With Quote
 

« Previous Thread | New Threads | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 visitors)
 

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -4. The time now is 12:30 AM.

Forum Home - Guidelines - Mark all Forums Read - Archive - FutureQuest, Inc. - Privacy - Top

Running on vBulletin®
Copyright © 2000 - 2019, Jelsoft Enterprises Ltd.		 Hosted & Administrated by FutureQuest, Inc.
Images & content copyright © 1998-2019 FutureQuest, Inc.
FutureQuest, Inc.