WordPress Security Issue with timthumb

Thousands of websites are at risk of being compromised due to critical vulnerability in a popular third-party image manipulation script called timthumb.

The image utility is not part of the WordPress core files, but is used in hundreds of WordPress themes. The script consists of a single file called timthumb.php and provides on-the-fly image cropping, zooming and resizing. Timthumb relies a white list of domain names from which images can be remotely fetched, which include popular image hosting web sites like Flickr, Picasa, Blogger, WordPress and many more.

There is a flaw in the validation process which allows files to be loaded from domains like ‘wordpress.com.evilhacker.cn’ because wordpress.com is in the domain name.

The script stores these images in a cache directory which is web accessible to make the script work on most servers without needing to be modified.

The timthumb developers are already working on a fix.

The problem I see here is that many of the people who are at risk (the ones that use WordPress because it’s ‘easy’) don’t even know they are vulnerable let alone how to replace the file.

Managing Permissions

Sometimes you need to make sure that the permissions for web accessible directories are correct (especially were recently asked to review a rather large existing website for security flaws). As a general rule of thumb it is safe for directories to be 755 and files to be 644. There are some easy ways to do this.

The easiest way to change permissions in bulk is the recursive chmod:

chmod -R 755 /directory

Unfortunately this has its own issues in that this will change everything, it doesn’t make it easy to have directories and files have different permissions. My fix for this is a few simple commands.

To set files below your current directory:
find . -type f -exec chmod 644 {} \;

To set directories below your current directory:
find . -type d -exec chmod 755 {} \;

Sometimes this blanket statement isn’t enough. For instance this will pretty much only work for static html website since no files will be executable. If you run these two commands on a website running something that needs to be executable (PHP or some form of CGI for example).
find . -type f -name \*.php -exec chmod 755 {} \;

Easy Recursive Find and Replace Using find and sed

When working with websites (especially when moving them from one server to another) you sometimes need to edit either all or at least many of the files that make up the site to change paths or connection strings (this is generally only a problem if the site is coded poorly and doesn’t allow for these to be set in a single file!).  Sometimes this action can require manually opening hundreds of files and looking for the lines that need to be edited.  This article is a brief tutorial which can save you hundreds of hours.

Changing database server hostnames/usernames/passwords etc.:

find . -type f -exec sed -i~ s/old text/new text/g {} \;

Sometimes you don’t need to replace part of a line, lets say you need to remove lines, maybe you about to hand over a perl powered website to somebody you really dont like and you want to remove all of your code comments!

find -type f -exec sed -i '/string/d' {} \;

Also, if your string contains the / character you will either need to use a different delimiter for sed or escape the character with \ when it appears in the string. For example to remove single line php comments:

find -type f -exec sed -i '/\/\//d' {} \;


find -type f -exec sed -i '_//_d' {} \;

As always, if you have any questions or even suggestions about this article drop me a line in the comments!

Testing Sites Without Changing DNS – Hosts Files Demystified – Windows – Mac – Linux

Wikipedia’s “definition” is:

The hosts file is one of several system facilities to assist in addressing network nodes in a computer network. It is a common part in a operating system’s Internet Protocol (IP) implementation, and serves the function of translating human-friendly hostnames into numeric protocol addresses, called IP addresses, that identify and locate a host in an IP network.
In some operating systems, the host file content is used preferentially over other methods, such as the Domain Name System (DNS), but many systems implement name service switches (.e.g., nsswitch.conf) to provide customization. Unlike the DNS, the hosts file is under the direct control of the local computer’s administrator.


Now in plain English:

The hosts file is text file operating systems use map hostnames (domains/subdomains) to IP addresses essentially bypassing DNS resolution.

The hosts file contains lines of text consisting of an IP address in the first text field followed by one or more hostnames, each field separated by white space (I normally space things out so that the hostnames all line up because I’m crazy like that). Comment lines may be included; they are indicated by a hash character (#) in the first position of such lines. Entirely blank lines in the file are ignored.

Here is an example of a hosts file:

#This is an example of the hosts file localhost loopback
::1 localhost

The address localhost of course being an address that allows you to access the machine you are currently on without knowing your IP address.

There are many reasons someone would want to edit a hosts file, the most common use is a web developer or designer who is testing a website after moving it to a new server before changing DNS settings for the world to see. There are also nefarious reasons that this file gets edited such as a malicious application making it so that a website you login to (such as a bank site or email service) to steal logins. The ones that are executed very well will often even act as a proxy and and actually allow you to access your account so you don’t even notice something happened!

I know that may sound scary (and some of you are asking, “Why are you teaching people to do this?”) but it is not as big of an issue as it used to be now that most operating systems require confirmation from an administrator level user to edit the file. It is a good idea to understand how to read and edit a hosts file so you can not only use the file for testing websites but also be able to know if your hosts file has been edited in some malicious way.

Another not quite as common use of the hosts file is to use it to block websites that are known to distribute malicious software or advertisement services. There are some good pre-formatted lists out there for this purpose (they also include instructions on how to use them).


To edit a hosts file you must first know where to find the file. The list below will break down some common operating systems, if you need information about how to do this on a system not listed below please drop me a line in the comments.

Windows 95 – Me

Location: %WinDir% (Typically C:\Windows\hosts)

Windows NT, 2000, XP, Vista, and 7

Location: %SystemRoot%\system32\drivers\etc (Typically C:\Windows\system32\drivers\etc\hosts)

Note: You will need to make sure that you have show hidden files turned on.  For Windows Vista and 7 you will need to launch your text editor as an administrator.

Mac OS 9 and Earlier

Location: System Folder

Mac OS X 10.0 – 10.1.5

This one is a bit more difficult, see Apple’s Article

Mac OS X 10.2+, iOS and almost all other *nix based systems

Location: /private/etc/hosts or /etc/hosts

Note: You will need to edit this file as root (administrator privileges)

Quicker WordPress Install

I was creating a new installation of WordPress today for development area of a new website and while I was setting up the site the thought came to me about how much I absolutely HATE having to download the zip then unzip and upload the file contents to a server that I don’t have SSH access to. After a couple of seconds of thought I decided to hash out this script that downloads the latest zip, unzips it, moves the content of the WordPress folder (which will be there by default) to the folder where you placed the file then redirects to index.php so you immediately start the install!

system (‘wget http://wordpress.org/latest.zip/’);
system (‘unzip latest.zip’);
system (‘mv wordpress/* ./’);
system (‘rm -rf wordpress’);
system (‘rm latest.php installer.php’);
<meta http-equiv=”refresh” content=”0;url=index.php”>

I’m sure there are ways to improve this but I figured I would put this rough copy on out there. Of course as you can tell since this passes rm to system() it only works on Linux.