Old image resize script leaves 1 million Web pages compromised
- 01 November, 2011 00:56
A serious code injection vulnerability affecting timthumb, a popular image resize script used in many WordPress themes and plugins, has been exploited in recent months to compromise over 1 million Web pages.
Estimating the impact is not an easy task, according to website integrity monitoring vendor Sucuri Security, which monitored the fallout of this flaw since it was first announced at the beginning of August.
The company's researchers have devised a method that involves using Google to search for compromised pages where the malicious code malfunctioned.
"If you are familiar with PHP/WordPress, you'll notice that [the attack] is adding the output of this function (counter_wordpress, which calls 126.96.36.199/bt.php) to the header of the compromised site," Sucuri Security's David Dede said.
"Everything is OK, but what happens when the site 188.8.131.52 goes down? If the site has display_errors enabled on PHP, this will show up: 'Warning: file_get_contents(http://184.108.40.206/bt.php?ip=IP&host=..'," he explained.
Searching for this error on Google returned over 1 million results and using filters for the last 30 days, returned over 200,000.
There are other factors to consider as well when trying to estimate the impact, like the fact that Google results correspond to compromised pages, not websites, as one website can have multiple pages infected. Also, not all servers have the display_errors feature enabled in PHP, which means no error will be outputted even if a site is affected.
It's also worth considering that Sucuri's method is used to estimate the impact of one particular attack. There's no telling how many websites compromised by different exploits targeting this vulnerability are out there. Dede believes that there could be a couple of million.
Webmasters should immediately replace the timthumb.php file bundled with their blog's themes or plugins with the latest version which is no longer vulnerable. However, it isn't enough to just patch currently active components, as leaving old timthumb versions anywhere on the server poses a similar threat.
"[Thousands] of sites were hacked because they had unused themes (or plugins) that included a vulnerable version of the script. Yes, in a lot of cases the script wasn't even enabled, it was just sitting there idle on the server," Dede said.
His recommendation is to remove old scripts or test accounts that are no longer necessary, because a new vulnerability that affects them can be identified at any time, and this doesn't apply only to WordPress blogs.
For example, many webmasters install a current version of phpMyAdmin, a popular Web-based database management tool, in order to perform a one-time task and then leave it on the server thinking it's patched up and password-protected.
Months later, someone can discover a vulnerability in that version and exploit it to inject malicious code in the underlying databases. This is not a theoretical attack. Compromises like this happen all the time and attackers use automated tools to search for vulnerable installations or crawl websites for default directories where these tools are usually located.
"Remove all unneeded software from the server. Even at rest, over time, the risk of being exploited is growing," Dede concluded.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
Queensland government to provide 200 services online by 2015
CIOs need to get their house in order, CFO panel says
Is Data Complexity Blinding Your IT Decision-Making?
Why IT projects really fail
CIOs say cost, complexity impede true mobile gains in enterprise
Unleashing the Power of Information
If business-relevant information is not well managed, secured and analysed, it can become an underutilized asset or—worst case—a legal and competitive liability. Nearly all of the IT and business executives who responded to a recent survey recognise this risk, and say they understand the importance of having an enterprise information management (EIM) strategy. Find out more on how to reduce costs, improve competitiveness and avoid risk by making information management an enterprisewide strategic priority.
Case Study: Sustainability Value in a Virtual World
Over time we have learnt that teleconferencing services have made organisations work faster, more focused and environmentally responsible. In this case study, we look at the travel costs that are avoided, the more effective decision-making capacity that is unlocked and the better work-life balance that is afforded to employees. Click to download!
Deliver Enterprise Mobility with Security and Performance
Mobility and the consumerisation of IT pose key challenges for IT around scalability, security and application visibility. In this whitepaper, we look at complete, integrated and scalable solutions that deliver apps and data to any device with full security and a high-performance user experience. Learn more!