Wordpress blogs still hounded by security vulnerabilities

Users of WordPress blogs, look out: your sites may be at risk due to an image-based zero-day vulnerability. Computer security firm Sophos said that the backdoor appeared to be a previously undocumented flaw in “timthumb," a useful WordPress addon shared by many WordPress themes. “Timthumb is an 864-line PHP script which assists with automatic image resizing, thumbmailing and so forth ... If you run WordPress and you have a file named timthumb.php, sometimes renamed to thumb.php, in your installation, you may be at risk," Sophos’ Paul Ducklin said in a blog post. But he said the vulnerable version of timthumb allowed images from external sites to be accessed from one’s server – as what happened to researcher Mark Maunder. Ducklin said the present default allows the display of images from Flickr.com, Picasa.com, YouTube, and Wikimedia. “A better default would be an empty list, so that users who want to allow external files to be sourced by their own servers need to take steps to enable that capability," he said. He also said the code allows a “dodgy" website such as picasa.com.badsite.example, simply because it contains the string “picasa.com." Clearly, that is not what was intended. Ducklin said this allows a remote access PHP Trojan to take control of the site. He issued the following suggestions, based on Maunder’s experience:

• Don't trust externally-sourced content by default. Force your users to think about what they really want.
• Check and test your URL sanitization code.
• Keep files, especially remotely-sourced files, outside the directory tree where your server-side executable code lives.
• Check if any of the blogs you host use timthumb.php, and upgrade to the latest version.