[Security] TimThumb Vulnerability – Fixes

The TimThumb exploit is still out there. More theme developers are updating their themes to include fixed solutions for this library.

The TimThumb project was forked into another project, called WordThumb by Mark Maunder and then recombined with the TimThumb project. As a result the versions of TimThumb is a little out of whack. The current version of TimThumb appears to be 2.7, however any version after (and including) 1.34 appears to have fixed the major issue with TimThumb. Each subsequent release of TimThumb just adds additional security layers, and for this reason version 2.7 is probably the version you need to be using.

However, the best thing you can in regards to this vulnerability is talk to developer, the person that wrote the WordPress theme you are using, and ask them if the theme is vulnerable to this security issue. It is important to note that this is not a security issue with WordPress. In fact TimThumb is used by other applications other than WordPress. WordPress is just the most common venue for TimThumb, and select WordPress users are more likely to be affected by this. It is also worth pointing out that not all WordPress uses are affected by this, it just depends on what themes you have installed and are using on your website.

The security blog Sucuri has a list of SOME affected WordPress themes:

http://blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html

However it is important to point out that this is not a complete list. Just because your WordPress theme is not listed here, does not mean that it is not affected by this exploit. Again, the best step is to talk to your WordPress theme developer and ask them if you are affected by this vulnerability.

Matt Mullenweg, the founder and creator of WordPress, has an interesting post about this issue:

http://ma.tt/2011/08/the-timthumb-saga

We are going to be going through the servers looking for timthumb.php files that may be affected by this. You should receive an email from us if this is found on your webhosting account. However, not all themes use the timthumb.php filename and for those we will not be able to find them. So just because you did not receive an email from us, this does not mean that you are affected by this. Again, I cannot stress this point enough, the best thing you can do is talk to your theme developer and ask them if you are affected by this. Your theme developer, the makers of your theme, are going to be your best bet at finding out if you are vulnerable to this.

Steven

[Security] Updated ModSecurity Filters

As we mentioned in an earlier post, today we are beginning the deployment of new ModSecurity filters on our shared hosting servers.

We haved decided to push out these updates a few days before they were scheduled due to the recent TimThumb exploit (some details here). These new rules will hopefully help mitigate any damage that this exploit can cause (But please note – The new ModSecurity rules do not solve the problem completely, affected TimThumb users should upgrade or discuss this with your theme developer). We are going to be going through the servers looking for TimThumb scripts in the next few days and you may receive an email about this.

These new ModSecurity rules do have the potential to cause certain security issues for some websites. Some actions and files will generate false positives. Rules can be exempted for your website, if a certain rule is causing you problems. You will just need to open a support ticket with our support staff regarding this.

To open a support ticket, go to our Account Management page:

http://www.amshelp.com

And click on the Support Ticket link.

These new rules should help prevent exploits and compromises on your webhosting account, this is why they are being put into place. We do apologize for any inconvenience these new rules might cause.

Steven

[Security] New Security Filters

We are going to be updating some software on the servers that will add additional layers of security to the frontend of the servers.

This software aims to filter out malicious requests that may be part of an attack on your website or a hacking attempt. The software is not perfect, no layer of security will be, but it does a good job of limiting these types of attacks. As always, there is no substitute for updating the scripts on your website and keeping them up-to-date.

We have tested this new filtering software on a few of our servers with great results. We will be expanding this to all of our servers, perhaps early next week (August 8th – August 12th).

Our tests have shown very minimal impact with end-user’s websites. However there is a possibility that this software can interfere with the normal operations of your website, depending on how arguments and data is passed around on your website. Exemptions can be made for your website, but unfortunately we won’t know that exemptions need to be made unless you tell us that you are experiencing problems.

This security software should allow for a more safe and secure hosting environment.

Steven

[Security] TimThumb vulnerability – WordPress

UPDATE Aug 2, 2011 02:29PM CDT — If you want to know if your website is vulnerable to this. Open a support ticket and our technicians will look at your account and work with you to minimize this threat.

A security issue has been disclosed in the TimThumb project. This vulnerability allows a hacker or malicious user to hack into your account.

Information about this vulnerability and a disclosure is at:

Zero Day Vulnerability in many WordPress Themes

This vulnerability is in the timthumb.php file, and is included in a lot of WordPress themes (though it is not necessarily exclusive to WordPress scripts/themes).

Really this should be addressed by the WordPress theme creators, whoever wrote the WordPress theme you may be using for your WordPress script. Or it should be addressed by the developer of whatever application you are using. However, as an end-user YOU will need to be responsible and update your theme or your script to resolve this issue. A developer that releases a new version to fix this insecurity will do you absolutely no good, unless you explicitly upgrade the theme or script.

There is an update to the timthumb.php file, version 1.34, that fixes this insecurity, and that file is posted on Google Code:

http://code.google.com/p/timthumb

At this time, I am mixed on how to react to this. We have a lot of WordPress scripts on our servers. I am afraid that not many of these users will update their themes to fix this issue, or perhaps the theme makers themselves will not release a fix for this in a timely manner. This will result in a lot of WordPress scripts being hacked. I can disable the timthumb.php file on the servers, this would mean any website that uses the timthumb.php file would stop functioning correctly, but it would keep save those accounts from being hacked and compromised. Right now, I am probably going to wait and see how the theme makers respond to this issue, and hope that they act accordingly and that WordPress and TimThumb users act responsibly and keep their scripts and themes up-to-date.

For WordPress users, I would recommend that you contact the developer or vendor (the website that you downloaded or purchased your WordPress theme from) and ask them if they are aware of this vulnerability, if it applies to your WordPress theme, and what their plans are for fixing this issue.

Steven

[Security] osCommerce Insecurity leads to leak

I found this article concerning the insecurities of osCommerce and how a vulnerability in the software lead to a mass compromise of potential confident information, such as credit card information.

Sneaky Trojan exploits e-commerce flaws (theregister.co.uk)

osCommerce has never been a favorite shopping cart application for me. The seemingly lack of attention the osCommerce developers give to the vulnerabilities in their product, means that an osCommerce reliant website may be vulnerable to a compromise at any time.

If you use osCommerce on your website, I would encourage you to put a lot of thought into switching to a different system. One that updates frequently to fix known security vulnerabilities. I would also encourage you to check out Mal’s E-Commerce hosted solution.

Steven