[wp-hackers] WordPress security question

Phillip Lord phillip.lord at newcastle.ac.uk
Thu Jun 7 13:08:50 UTC 2012



Yes, this is exactly my point. It's possible to draw the conclusion from
the statement that "there are no themes in Extend that use timthumb"
that "as I got my theme from extend, I cannot get hacked through a
timthumb exploit". The former may be true, the latter is not. 

WPMU2 == wordpress multi-user version 2 which has merged with 
WP3 or Wordpress 3. 

In the ideal world, updates would just happen. The rest of my OS
updates, but because I develop against Wordpress, I've not managed to
achieve this with wordpress itself. 

Phil

Chip Bennett <chip at chipbennett.net> writes:

> There are no *active* Themes in Extend that use TimThumb. All that were
> found were suspended. Since some time ago, Themes using TimThumb have been
> blocked from even being uploaded to Extend.
>
> That said: we have no way of notifying users that they may be using
> vulnerable code. As much as we would love to provide such notifications to
> users (be it for TimThumb, or merely for obsolete Themes/code), we have no
> way to do so. It is a limitation of the update/notification system that is
> well outside of our scope/control. Either the Theme developer would have to
> release an update to Extend, or else the user would have to switch Themes
> on his own.
>
> Chip
>
> p.s. what are "WPMU2" and "WP3"?
>
> On Wed, Jun 6, 2012 at 9:59 AM, Mika A Epstein <ipstenu at ipstenu.org> wrote:
>
>> I didn't say it was never allowed :) it was, once, allowed. All themes
>> have been updated (or removed).
>>
>> As Helen rightly pointed out, you do get theme update notifications. You
>> don't for deleted ones, but I'm assuming (hoping?) the theme review folks
>> did some sort of update? If not, yes, there are some folks with
>> no-longer-approved themes out there, but this was pretty well posted and
>> reported. Due dilligenece has been done. Can't make people change their
>> oil, but the car can beep at you a lot :)
>>
>>
>>
>> On Jun 6, 2012, at 9:08 AM, phillip.lord at newcastle.ac.uk (Phillip Lord)
>> wrote:
>>
>> >
>> > Unfortunately, this this is not quite true. It may be that it is not
>> > allowed now, but this doesn't mean that it was never allowed.
>> >
>> > What I never understood with Wordpress is why plugins have update
>> > notification, while themes do not. I was one of the many who get
>> > zero-day exploited through timthumb. The theme in question (suffusion)
>> > had removed timthumb quite a long time before but, of course, we got no
>> > update notifications, so we had not updated. More fool me, you might say.
>> > Well, yes, true. Also more fool many of the other thousands who got
>> > hacked.
>> >
>> > Combined with an largely undocumented schema change between WPMU-2 and
>> > WP-3 which made the restoration from backup a long, long process. I was
>> > thinking 2 or 3 hours (including VM set up), but it took 2 or 3 days.
>> >
>> > Phil
>> >
>> > Mika A Epstein <ipstenu at ipstenu.org> writes:
>> >
>> >> TimThumb is not a part of core, nor is it allowed in themes hosted on
>> >> the WP theme repo (as of the last time I looked).
>> >>
>> >>
>> >>
>> >> On Jun 5, 2012, at 7:50 AM, Mickey Panayiotakis <mickey at infamia.com>
>> wrote:
>> >>
>> >>> I've seen plenty of hacks based on timthumb vulnerabilities.
>> >>> However, I don't think wordpress core uses timthumb. (I'm sure the
>> group
>> >>> will correct me here, which I invite.)
>> >>>
>> >>> The user is left to fend on their own when using a free or commercial
>> >>> theme, to a lesser or greater extent depending on the theme vendor.
>>  Some
>> >>> themes do a great job of providing updates and alerting the user to
>> theme
>> >>> and framework udpates (and thanks to WP3 we can see that in the usual
>> >>> updates area).  The problem is that when you customize a theme, updates
>> >>> become more visible.
>> >>>
>> >>> One of the most disturbing bits of advice I heard recently is that if
>> you
>> >>> use a custom theme, you shouldn't update wordpress.  I'm sure what the
>> >>> speaker meant was to work with your vendor to make sure that WP and all
>> >>> plugins and themes stay up to date.
>> >>>
>> >>> mickey
>> >>>
>> >>>
>> >>>> Message: 1
>> >>>> Date: Mon, 4 Jun 2012 19:50:39 -0700
>> >>>> From: Andrew Freeman <andrew.s.freeman at gmail.com>
>> >>>> Subject: Re: [wp-hackers] WordPress security question (Dan Phiffer)
>> >>>> To: wp-hackers at lists.automattic.com
>> >>>> Message-ID:
>> >>>>      <
>> CALT+zmKFuBXUXjH2F8NYaYp0FHHdvdkvQe9xyvkec6dN5S7D1g at mail.gmail.com
>> >>>>>
>> >>>> Content-Type: text/plain; charset=ISO-8859-1
>> >>>> Howdy Dan,
>> >>>> Having cleaned up about a half-dozen sites in the past two months or
>> so, I
>> >>>> have some suggestions for things to look for in terms of
>> >>>> backdoors/potential vulnerabilities.
>> >>>> Most hacks I've seen come from a vulnerable Timthumb hack, an old
>> image
>> >>>> thumbnail script which allowed an attacker to upload malicious code
>> to the
>> >>>> server, giving them full shell access (or at least as much as
>> Apache/PHP/WP
>> >>>> has). You can read technical details about it here:
>> >>>>
>> >>>>
>> http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/
>> >>>> You can use the Timthumb Vulnerability Scanner to quickly see if you
>> have
>> >>>> any outdated versions of the script lying around:
>> >>>> http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/. Even
>> >>>> an unused theme with the old version of the script is vulnerable.
>> >>>> Most hacks definitely add crazy base64_decode script to the header of
>> >>>> important files - often index.php of site root or theme root. This one
>> >>>> looks like it gets around base64_decode which makes it harder to
>> detect. If
>> >>>> you can, ssh into the server and grep for 'lqxizr' to find if it's
>> been
>> >>>> injected into any other files. Also, checking wp-config.php is a good
>> idea,
>> >>>> because I've seen old backdoors left inside the file (usually
>> separated
>> >>>> above and below the malicious script by several thousand blank lines).
>> >>>> Other hacks I've seen append every front-facing JavaScript with
>> malicious
>> >>>> code right instead of going the PHP route. I'd recommend checking your
>> >>>> frontend scripts for anything strange, the time last updated in FTP
>> may be
>> >>>> of some help.
>> >>>> Also, if you can, check the raw access logs for anything suspicious.
>> One
>> >>>> time I thought my server was clear of shell-like scripts, but after
>> another
>> >>>> hack that day the raw access logs showed that one actually just
>> signed in
>> >>>> and used the WordPress editor to make the changes.
>> >>>> I hope this can be of assistance and best of luck,
>> >>>> Andrew Freeman
>> >>>>
>> >>>
>> >>> --
>> >>>
>> >>> Mickey Panayiotakis
>> >>> Managing Partner
>> >>> 800.270.5170 x512
>> >>> <http://www.infamia.com>
>> >>> _______________________________________________
>> >>> wp-hackers mailing list
>> >>> wp-hackers at lists.automattic.com
>> >>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>> >> _______________________________________________
>> >> wp-hackers mailing list
>> >> wp-hackers at lists.automattic.com
>> >> http://lists.automattic.com/mailman/listinfo/wp-hackers
>> >>
>> >>
>> >
>> > --
>> > Phillip Lord,                           Phone: +44 (0) 191 222 7827
>> > Lecturer in Bioinformatics,             Email:
>> phillip.lord at newcastle.ac.uk
>> > School of Computing Science,
>> http://homepages.cs.ncl.ac.uk/phillip.lord
>> > Room 914 Claremont Tower,               skype: russet_apples
>> > Newcastle University,                   msn: msn at russet.org.uk
>> > NE1 7RU                                 twitter: phillord
>> > _______________________________________________
>> > wp-hackers mailing list
>> > wp-hackers at lists.automattic.com
>> > http://lists.automattic.com/mailman/listinfo/wp-hackers
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
>

-- 
Phillip Lord,                           Phone: +44 (0) 191 222 7827
Lecturer in Bioinformatics,             Email: phillip.lord at newcastle.ac.uk
School of Computing Science,            http://homepages.cs.ncl.ac.uk/phillip.lord
Room 914 Claremont Tower,               skype: russet_apples
Newcastle University,                   msn: msn at russet.org.uk
NE1 7RU                                 twitter: phillord


More information about the wp-hackers mailing list