HACKED: Network Theme TimThumb vulnerability

Hi,

My network theme site has been a hacked.

This theme uses code publicly known to be vulnerable. If there was ever a smoking gun, timthumb is it. I’ve come to the conclusion that this is the most likely source of my trouble. Can I use this plugin? (Can I not use it!)

http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/

Please upgrade the theme to replace timthumb ASAP.

Larry

  • NYCWW
    • Site Builder, Child of Zeus

    Good morning, Larry. Sorry to read about your website being hacked. I’ve had similar experiences over the years and it can be extremely disheartening.

    You should be able to use the plugin. However, it’s worth noting that “timthumb” is not in and of itself a problem. There were particular versions of the script that created vulnerabilities.

    I’d be very surprised to find out that wpmudev was using an outdated version of the script in their themes. The 100K+ users in this community include many, many developers and you’d think that someone would have pointed it out by now.

    My point is, don’t stop looking for other points of vulnerability based on the fact that you’re using a theme that includes a timthumb script because it is unlikely that’s how you got hacked. You don’t want to overlook other real vulnerabilities because you think you’ve found the answer.

    Also, there is plenty of information on WordPress security out there. Check to see if there are other things you can be doing to harden your site as well. There’s no such thing as too much security.

  • Timothy
    • Chief Pigeon

    I have this theme running on a few sites with no issues so far.

    You will note in the change logs:

    DATE: 2011-09-11 • VERSION: 1.5.7.1

    Updated timthumb version number to stop scanner failing when already safe

    DATE: 2011-08-03 • VERSION: 1.5.7

    Timthumb fix: please update this is a security fix

    This I believe was an update Timthumb and removed the security vulnerability which happen sometime ago.

    How did you come to this conclusion, any evidence you have which we can investigate further.

    Thanks.

  • Timothy
    • Chief Pigeon

    If you are really concerned about hacking you may wish to hire a server admin to harden the server. Then hire someone or even a few to run a security audit on all the code you are using.

    That should give you the reassurances you need but as demonstrated in recent times that no matter how much money and skill is used it still doesn’t always prevent such malicious actions unfortunately.

    Take care.

  • tishimself
    • Syntax Hero

    Hi,

    For some reason I’m not getting email updates on this topic.

    >How did you come to this conclusion, any evidence you have which we can investigate further

    As you may be aware it is unlikely I can provide hard smoking gun evidence. Certainly, there were no server log entries indicating a problem. Scanning identified 3 backdoor scripts. All my software was current, including the Network theme, but Timthumb is old. So far it is my best bet.

    The Network Theme uses an outdated V1.19 timthumb….and yes my theme is current. Leaving /wp-content/themes/network/library/functions/timthumb.php (‘VERSION’,’1.19′:wink: is a likely entry point for numerous hackers since August 2011.

    Maybe my theme updates did not pick up the proper lever of TimThumb. What version of TimThumb should I be my Netwrok theme be running?

    Larry

  • tishimself
    • Syntax Hero

    Hi,

    The ongoing use of TimThumb is a risk The risk is too high to continue to use code that has been a hacker’s dream. Why trust the pundits that the holes have been plugged? The risk is too great for WPMUDEV to be distributing it.

    Face it, time to find a new way to do this.

    Larry

  • Timothy
    • Chief Pigeon

    It’s not for me to face, the developer of this theme has full control over its development path.

    I can say though that I use this theme and have done for a fair while with no issues or hacking.

    Of course your concerns are important and as such I will ping our developer to see what his plans are here.

    Thanks.

  • S H Mohanjith
    • Developer

    I’m extremely sorry your site was hacked, it can be disheartening.

    We have fixed the TimThumb vulnerability 2011 August.

    Fix was to not allow downloading images from external sites (See ALLOW_EXTERNAL) . To be even safer we removed all $allowedSites .

    We do not believe it was the Network theme or TimThumb included in the network theme that downloaded the backdoors.

    Thanks

  • tishimself
    • Syntax Hero

    Hi,

    >We do not believe it was the Network theme or TimThumb included in the network >theme that downloaded the backdoors.

    >We have fixed the TimThumb vulnerability 2011 August

    >It’s not for me to face, the developer of this theme

    I installed http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/

    The latest version of the Timthumb script is 2.8.10. The oldest safe version is version 2.8.2. Last scan run 1 min ago.

    It is not just the Network theme exposing your clients with Timhumb V2.8.

    How long b4 2.8.10 is hacked? There are alternatives out there.

    Regards,

    Larry

  • tishimself
    • Syntax Hero

    Hi,

    I compare timthumb.php on my website with a new download of the theme

    It seems the same and contains this line:

    define (‘VERSION’, ‘1.19’:wink:; // version number (to force a cache refresh)

    To correct my previous post, the plugin mentioned above does not even recognize this file as TimThumb code!

    Larry

  • Timothy
    • Chief Pigeon

    Hey again.

    As Moha pointed out:

    We have fixed the TimThumb vulnerability 2011 August.

    He then elaborated on what the issue was.

    You then stated:

    I replaced the Network Theme timthumb.php with V2.8.10 and it seems to be working. The plugin scans it ok too.

    I think it might be for these two reasons the thread was marked as resolved.

    Were you wanting any further advise from Moha? If so I could ping him again.

    Take care.

  • tishimself
    • Syntax Hero

    Hi,

    1). I’m not convinced the Network theme timthumb is at August 2011, since the clearly it clearly says V1.19.

    2). Based on the plugin, the fix for 2011 August was vulnerable too, I now have a new Network theme update from WPMUDEV that may backlevel to a vulnerable level. I can upgrade timthumb again, but I’d rather have the theme fixed.

    3). This is not the only theme you have at this level so unless you fix these other themes they provide exposures.

    Larry

  • Timothy
    • Chief Pigeon

    Hey again Larry.

    The issue as Moha stated was that they allowed external sites, the fix was to not allow external sites:

    Fix was to not allow downloading images from external sites (See ALLOW_EXTERNAL) . To be even safer we removed all $allowedSites .

    I’ve pinged Moha again, but I feel he may say the same thing, that the issue was resolved by not allowing external site.

    Thanks.

  • tishimself
    • Syntax Hero

    Hi,

    The issue is that the plugin says that V1.19 was vulnerable that the oldest safe version is version 2.8.2.

    And that a number of other themes WPMUDEV distributes (some are in the Farms Pack) are vulnerable too.

    I did set ALLOW_EXTERNAL to be FALSE with the new version.

    Larry

  • tishimself
    • Syntax Hero

    Hi,

    FWIW, I set up a new test site and upgraded to the Network theme. As expected, there were no changes to timthumb. I have yet to do much testing with V2.8.10 with ALLOW_EXTERNAL set to FALSE, but if this does not work, then it seems I need to move to a new theme. I also installed the better wp security plugin to try to improve security b4 I start rebuilding & testing Timthumb in earnest. I’m expecting the security plugin to cause some plugin conflicts.

    NB: WPMUDEV considers the theme to be safe as distributed. They may be correct. After having been hacked, I figure they may very well be wrong.

    No one can dispute that TimThumb has a very bad history of hacker vulnerabilities.

    BTW my concern applies to the Farm themes too but not just because of timthumb. Try a security scan with the Farm installed to see what I mean.

    Regards,

    Larry

  • tishimself
    • Syntax Hero

    Hi,

    >can we please get more information how your site was hacked due to the timthumb included in Network theme?

    I’d be more than happy to entertain your suggestions on just how this might accomplished. So far I have not heard anything that might be useful.

    I can repeat myself too:

    As you may be aware it is unlikely I can provide hard smoking gun evidence. Certainly, there were no server log entries indicating a problem. Scanning identified 3 backdoor scripts. All my software was current, including the Network theme, but Timthumb is old. So far it is my best bet.

    And based upon what I have learned it remains my best bet on how it was done.

    It is reasonable to expect timthumb to be upgraded in your themes to a non-vulnerable current level of the code.

    Regards,

    Larry

  • Timothy
    • Chief Pigeon

    Your server has access logs, and records what happens on your server, what’s accessed, etc. Please run an security audit to ascertain how access was gained.

    Your host should be able to assist you with this. Or a system admin.

    As Moha explained the fix was to not allow downloading images from external sites and that was done.

    Thanks.

  • tishimself
    • Syntax Hero

    Hi,

    Security audit. My hosting company had no suggestions for the source. My SA was unable to identify the cause with certainty. They both pointed to the old version of Timthumb as the most likely candidate, which is why I raised the issue. This is not an idle request.

    wordpress.org says V1.19 is not secure. V2.8.2 is the oldest secure version.

    Keep that setting, but please use the current and secure level of the code.

    I do not understand your reluctance. Is this really asking for too much? .

    Larry

  • foodfriendfinder
    • The Incredible Code Injector

    In my opinion…any WordPress site whatever theme you are using can get hacked…as Tim I believe suggested earlier post…your server security needs to be up to date…I am not sure what hosting package you have or how your server is setup.

    For this reason in addition there are many Security plugins also available for WP…..some free …some paid..

    Personally I use Bulletproof Security http://www.ait-pro.com/ and recently been testing Wordfence http://www.wordfence.com/

    But many to choose from and everyone will have an opinion what is best..Just my opinion….Better safe than sorry!!

  • Timothy
    • Chief Pigeon

    I do not understand your reluctance. Is this really asking for too much? .

    Honestly it’s not my reluctance. I use this theme myself so it’s a concern to me as well.

    But what I’m saying is based upon what Moha advised. The issue was about external linking, It’s that which was fixed in our version. So it shouldn’t be a security issue because it’s not permitted in our release.

    Take care.

  • tishimself
    • Syntax Hero

    Hi,

    >In my opinion…any WordPress site whatever theme you are using can get hacked

    Agreed, but this does not mean measures should not be taken to make wordpress more secure. And one of the basics principles is keeping software current. Which is why I raised this issue. As for the server, I rely on a reputable hosting company.

    You are so sure that it was only that one issue that you willing to ignore the wordpress.org plugin recommendations to remain on V1.19. And is it not just one theme! What is the downside of updating the code and using that setting?

    >Better safe than sorry!!

    Larry

  • Mason
    • DEV MAN’s Sidekick

    Hiya @tishimself,

    The reason the code says version 1.19 is because that is the version we forked from. We saw the code was insecure and even looked at the way it was patched. We felt that wasn’t good enough and that for multisites there were better ways to protect our members.

    So we wrote our own code and left a note to remind ourselves what version we branched off. Some scanner-based security audits will incorrectly flag this script thinking it’s the old version. It’s not. A human developer should see what we’ve done and see that it’s more secure.

    We do monitor timthumb development and if they add a new feature or write something we feel is better, we’ll look into incorporating it into our own script.

    To recap the number 1.19 means nothing in the context of the security of the timthumb script included with this theme. It could say 4.02 or 20010 or “eat at joe’s”. It’s not relevant to security – just a note so down the road we don’t forget what we did.

    Thanks.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.