A mitigation for this sort of thing: your Wordpress installations can be owned by someone other than the webserver, with 644/655 permissions. This will prevent folks from uploading arbitrary code (through any of the NUMEROUS plugins/themes with a vulnerability that allows them to do that), and also prevents folks from appending malicious code to known files.
You could also "cat /usr/local/wordpress/wp-config.php" and see the plaintext mysql username/password and inject malicious data into the DB, create/drop tables or databases depending on access level.
Problem is that then you can't auto install themes, auto update wordpress - and the script causing this vulnerability requires a writable cache directory under the wordpress root.
Yes, turning off the ability to execute arbitrary code on your server through your web browser will, indeed, turn off the ability to execute arbitrary code on your server through your web browser. I think that is a misfeature: if executing arbitrary code on your server could potentially do damage to your business (hint: yes), you should be SSHing into a terminal to do it. That combo will be 500,000x more effective at securing your box than the best efforts of Wordpress, PHP, and the fifteen year-old designer who coded your lightbox plugin after Googling "How to find file name in PHP".
See also my comments last week about the (lack of) wisdom in embedding a ruby shell in a web application.
Turning off the ability to execute arbirary code on your server through your webserver will also stop WordPress from being able to get security updates out to the millions of sites using it.
While I much prefer going through SHH to manage my sites, there are likely 10x as many WP sites run by people who can only FTP. There isn't really an ideal solution in this situation (apart from education) so I think allowing easy updates by having weaker security may be best. Maybe there is a better solution that still works for FTP. If so, file a ticket.
The WordPress Codex is a wiki and it looks like the docs on security could do with some improvements - sign up and help out.
You're confusing the issue. This isn't about SSH versus FTP: it's about whether or not the Apache user running your website can also write to the filesystem inside of your document root. The Wordpress update feature is actually able to use FTP as the means of updating the site.
That's true; I was oversimplifying the issue. Most shared hosting web hosts run PHP files with the same user that you FTP with. If WP can't update itself in these cases then the user cannot write files via FTP. If a user connects via SSH then chances are they are comfortable changing directory permissions to do an update.
My WP theme is from WooThemes and it includes "thumb.php" which upon inspection is timthumb.php. The blog post says to patch this you should remove the list from the allowedSites variable which I have done... I'll look at this more tomorrow but just FYI!
Great writeup. It's clear, it's concise and it's not overly dramatic. Thanks for taking the time to write this up and share it.
I have invested a bit of time installing and tuning mod_security. I'd love to know how it'd have faired against this attack, probably it wouldn't have stopped the upload, but it might have stopped a lot of payload/control commands from working.
While it's concise and not overly dramatic, lots of people run Wordpress on shared hosting. That generally means they don't have SSH access and the instructions are harder to follow... It needs a "for beginners" section on how to check and accomplish the steps.
I invest time in doing things like looking over any third party libraries for stuff like this, too. The quality of the average WordPress plugin is quite low, and I'm surprised we don't hear about issues like this more often.
I did a series on talks on Wordpress security earlier this year at OWASP London and AppSec EU. Sadly the AppSec slides were lost but the OWASP slides are still there for anyone interested:
This concerns user/third party authored WordPress themes for the WordPress.org software. WordPress.com is hosted and administrated by Automattic, and they handle security like any other application provider. It's not likely that Wordpress.com is using this resizing script and if they were, you as a user would not have to take any action to fix it (and couldn't do so, anyway)
I used to see so many security problems with xmlrpc.php, and never used the functionality, so I put in a cron job entry that did this for all blogs I had hosted:
I bought my theme from Theme Forest and it has this vulnerability. If you have a theme that you've purchased and contains this file, it would be helpful to post this on the theme's support forum.
Exactly what I thought upon reading "The current version of timthumb has this issue. Since it’s already in the wild and I just got hacked by it, I figure it’s ok to release the vulnerability to the general public."
There's no other way to inform most people about the problem. There's several thousand free WordPress themes in the wild, and obtaining them does not involve getting on the developers' mailing lists or otherwise being contact-able. Even if it was possible to notify every theme developer that may be including timthumb in their theme, those developers would have no way to notify the end users.
is sufficient to cause it to download payload.php and cache it. Afterwards, you can access the PHP file in the same manner to execute it.
One could trivially make a list of signatures for vulnerable themes (for example, all the ones I paid for from a certain prominent Wordpress themes company), and then exploit any website whose main page matched a signature. Alternatively, you could just speculatively hit a few hundred URLs on every domain you found.
On some badly configured Nginx servers the filename extension isn't parsed correctly. A php.jpg file will be executed as php because a badly written regex will match the .php.
Even if you don't have such vulnerabilities you probably don't want people to be able to upload images to your server. They could easily send you over quota on shared hosting and use your bandwidth for serving their own images (including child porn).
On a CubeCart pluggin that had the same flaw as the timthumb.php one, I whitelisted image file extensions. This should work, as long as there aren't and local file include vulnerabilities in the site.
This still allows the attacker to host images on your site though.
For most purposes, this would work. If you want to be extra safe, you can call getimagesize() on the file - this returns among other things the actual mime type of the file, allowing you to exclude anything but real image files.
Wordpress gets no opportunity to execute a single line of code at any point in this process. TimThumb can be executed without needing to go through Wordpress at any point. The only relevance of Wordpress to this is that many Wordpress themes happen to ship with TimThumb. If you have a Wordpress theme installed on your server (note: activation not required!) which ships with it, you are vulnerable.
Wordpress could theoretically intercept calls to PHP files below its own root, but that would be a breaking change for a LOT of code and sites.
The problem is that timbthumb.php is usually contained within themes or plugins. There's quite a few small php libraries with little insecurities dotted all around the web and sometimes theme and plugin developers tend to use a version and stick with it.
Realistically the best thing that could happen is that plugins like WP-Security Scan could check for timbthumb.php's presence and warn you.
