^ Scroll to Top
Contact us | Login

Archive for August, 2011

TimThumb Exploit and Fix Package Tim-Scan

Friday, August 12th, 2011

This is a HUGE EXPLOIT first discovered at the start of August 2011. This exploit affects timthumb.php up to version 1.33, timthumb is a PHP image resizing script that is used by thousands of websites and is included in alot of wordpress themes. Basically if a hacker finds a vulnerable version of this script on your site they can do almost anything including steal your whole database and deface or delete or spam hijack your site.

The Exploit

This is surprisingly  simple, i must admit the after reading about the exploit i decided to see if i could re-create it and started messing with trying to fool the script into thinking my .php file was an image by changing the mime type – that didn’t work, i then tried inserting some PHP code into the end of a small image, i had some success with that but i then realised it is even more simple than that.

The whole reason for the exploit is that the script allows you to use images from a few other sites such as flickr.com and picasa.com, bu the check on these domains is easily fooled, so you could throw together a few sub-domains and have http://flickr.com.thebaddies.com/MyBadFile.php If you then tell timthumb.php to use that as an image it will first copy the file to a /temp/ folder and then throw the error “Unable to open image” the script then tells you the location of the PHP file and you can go execute it. (i’m leaving out a little detail so Jo Blogs can’t do it it his mate Dave’s site)

I run a load of wordpress sites and after having a go at the exploit and realising how easy it was, i wrote a script to check for vulnerable versions and update them and also scan for any nasty code left by any hackers.

If you are interested my script is available here ~> http://code.google.com/p/timthumb-updater/downloads/list

EDIT*  i have added a video with basic instructions, as requested…