June 14, 2021

Non-updated Versions of TimThumb Still Causing Problems for WordPress

(LiveHacking.Com) – Nearly three months ago it was discovered that TimThumb, a PHP script that is used in many popular WordPress themes, contains a vulnerability that allows a remote attacker to upload arbitrary PHP code to an infected site.

By crafting a special image file with a valid MIME-type, and appending a PHP file at the end of this, it is possible to fool TimThumb into believing that it is a legitimate image, thus caching it locally in the cache directory.

Researchers at the AVAST Virus Labs in Prague have seen an increase in malware infections that are exploiting non-updated versions of TimThumb.

Researchers from AVAST were contacted with relation to the blog theJournal.fr, the online site for The Poitou-Charentes Journal, which had been infected. According to AVAST. the Poitou-Charentes Journal is just one part of a much bigger attack.

The compromised sites where infected with the Blackhole Toolkit, a set of malware tools available on the black market for around $1500. AVAST have spotted 151,000 hits to one of the locations where this exploit redirects users. AVAST estimates that anywhere up to 3,500 sites have been infected.

More details about the surge in infections can be found here and details of the Blockhole Toolkit can be found on AVAST’s blog here.