WordPress.org

Ready to get started?Download WordPress

Forums

Timthumb Vulnerability Scanner
Does not use latest timthumb.php to "fix" problem (24 posts)

  1. frettled
    Member
    Posted 2 years ago #

    The vulnerability scanner should check whether the TimThumb version is the latest installed, and download and install the latest version, rather than use a static version.

    Version 2.8 of TimThumb is just as insecure as anything older, it merely limits it to a few dozen domainname combinations, ripe for the taking of any half-capable domain squatter.

    It would be nice if this software also changed the default for ALLOW_EXTERNAL from TRUE to FALSE, since that would alleviate the most common security issues with TimThumb.

    http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/

  2. Peter Butler
    Member
    Plugin Author

    Posted 2 years ago #

    While I haven't reviewed the code changes myself, I trust the (many) people who have been involved in the work on timthumb since the vulnerability was discovered, and I trust when they say the vulnerability that has caused so many problems is solved in versions 2.0 and greater. I will, however, try to find some time to sit down and review the code to see if I can corroborate what you're saying. I'd love more info on the particular vulnerability you're referencing (half-capable domain squatters?), if you've got the time to share it (you can email me if you prefer - contact form on my site).

    WIth that said, having the plugin download the latest version from google code isn't a bad idea - I'll give it some thought.

    The goal of the plugin is not to make security decisions for people, it's to make sure they're aware of and have upgraded timthumb - so I'm not interested in switching default settings while upgrading.

  3. frettled
    Member
    Posted 2 years ago #

    The problem is publicly documented in issues 273 and 274 for TimThumb.

    (Issue list)

  4. Peter Butler
    Member
    Plugin Author

    Posted 2 years ago #

    So it is. While the problem isn't nearly the same magnitude that the original problem was (especially taking into account the extra security in how cached files are saved) it IS less than ideal. I'll have the scanner update submitted by the end of the day. Thanks for alerting me to this!

    Also, I think I read that by default, allow_external is now false, which solves your other concern.

    I don't, however, see a clear path for either of these problems to be used to actually gain access to a server, so implying that 2.7 is as insecure as ever is just not true (as far as I can tell). Can you theorize a hack that could get around the cache security settings in order to execute code on the server? I'd be interested to hear it.

    Thanks again!

  5. sneader
    Member
    Posted 2 years ago #

    Hi Peter. I noticed the latest update for the plug-in is 9/2/11, but your message above seened to indicate that the plug-in would be updated 4-5 days ago?

    I am about to suggest this plugin to help some folks get updated, but want to wait until it's updated, if possible.

    Thanks for your work!!!

  6. Bob
    Member
    Posted 2 years ago #

    From what I've been reading at code.google.com you need to have at least version 2.8.2 of TimThumb to have the fix from issue 274. It's unfortunate that multiple revisions have the same version number but it looks like either of the 2.8.2 revisions (r187 and r188 as of 11/2/2011) would be better than any previous version. Do you have plans to update this plugin for catching & patching versions < 2.8.2?

  7. Peter Butler
    Member
    Plugin Author

    Posted 2 years ago #

    Hey Guys -

    Sorry, I got wrapped up last week, and didn't get to this. I'm working on it now, and I anticipate having the update online by the end of the day tomorrow.

    Bob - Yes, I'll set it up to patch anything earlier than the most recently available version.

  8. sneader
    Member
    Posted 2 years ago #

    Hi Peter, that's awesome! So, let's say someone installs this plug-in, and then a year from now, runs it again. Will it say they are up-to-date? Or will it know that there has since been another version? Actually, I suspect the plug-in may be updated in the future, and they'd get an indication that the plug-in itself needs to be updated?

    I realize these questions are confusing... I guess I'm trying to avoid having a WP user think they are secure, when they may not be, just because the plug-in is old and isn't aware of any new versions or issues. Maybe that's not possible (in which case I'll advice people to install the plug-in, scan, update/fix, and then just uninstall the plug-in)

    Thanks again!

    - Scott

  9. Peter Butler
    Member
    Plugin Author

    Posted 2 years ago #

    Hey Guys -

    Sorry I was so late on this - it ended up being a bigger update than I expected, but I'm pretty excited about the result.

    Sneader, to answer your questions:
    The way the plugin works now (as of version 1.4) is that it sends out a request to find out what the latest version of timthumb is (it checks this every time you load up the scanner page, but no more than once a day). If, based on that updated information, you have out of date code on your site, you'll be notified, and you can automatically update to the latest version, which will be downloaded from the code's official home at google code.

    I really wanted to get this out today, so hopefully I didn't rush it too much - if you notice anything wrong, please let me know.

    Thanks!

  10. sneader
    Member
    Posted 2 years ago #

    Sweet, thanks Peter! I'll install it on a few sites and let you know how it goes!

  11. sneader
    Member
    Posted 2 years ago #

    When I logged into WP, it notified me about the updated plug-in. (Cool!). When I did the automatic upgrade (which normally works fine for other plug-in upgrades), I received this event log & error:

    Downloading update from http://downloads.wordpress.org/plugin/timthumb-vulnerability-scanner.zip…

    Unpacking the update…

    Installing the latest version…

    Deactivating the plugin…

    Removing the old version of the plugin…

    Plugin updated successfully.

    Reactivating the plugin…

    Plugin failed to reactivate due to a fatal error.

    Warning: include_once(class-cg-tvs-plugin.php) [function.include-once]: failed to open stream: No such file or directory in /home/cindscom/public_html/wp-content/plugins/timthumb-vulnerability-scanner/timthumb-vulnerability-scanner.php on line 11

    Warning: include_once() [function.include]: Failed opening 'class-cg-tvs-plugin.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/cindscom/public_html/wp-content/plugins/timthumb-vulnerability-scanner/timthumb-vulnerability-scanner.php on line 11

  12. Peter Butler
    Member
    Plugin Author

    Posted 2 years ago #

    That's not good. I'll see what I can find out.

  13. Peter Butler
    Member
    Plugin Author

    Posted 2 years ago #

    My inexperience with SVN strikes again. Unfortunately, I managed to not add in a few files to the SVN repository. They're in there now, in version 1.42 - but that might not update on wordpress.org for a few minutes (or maybe a few hours).

    Thanks so much for pointing this out to me - who knows how long I would have gone before realizing.

  14. sneader
    Member
    Posted 2 years ago #

    Cool -- I'll watch for the update and when I see it I'll give it a shot on a variety of sites (those that haven't had the plug in before, those that have it, but need the update, and the one that errored out) and let you know how it goes!

    - Scott

  15. sneader
    Member
    Posted 2 years ago #

    Only seen the 1.42 on one of my sites so far, and the upgrade and scan went without a hitch. More to come...

  16. sneader
    Member
    Posted 2 years ago #

    It's working beautifully, Peter, in all scenarios I've come up with so far!!! Thanks!!

    - Scott

  17. sneader
    Member
    Posted 2 years ago #

    Peter, ran into my first snag since using 1.42. I installed it on a site that's never had the scanner before. Look at these weird results... shows I have two old versions, but it says they are "up to date"? Also, it says the latest version is " " -- I am guessing that is the problem... it had some issue with fetching the latest version?

    Scan Results

    The latest version of the Timthumb script is . The oldest safe version is version . Last scan run 1 min ago.

    Status Version Filename Full Path
    Up to Date 1.12 thumbnail.php /home/exampleu/public_html/example.com/wp-content/themes/headway-166/library/resources/timthumb/thumbnail.php
    Up to Date 1.09 timthumb.php /home/exampleu/public_html/example.com/wp-content/themes/comet.1.3.0/comet/scripts/timthumb.php

  18. Peter Butler
    Member
    Plugin Author

    Posted 2 years ago #

    Hey Sneader -

    First of all, thanks for all the help - it's hugely appreciated.

    As for your issue: THe plugin has to go out and check for the latest plugin version, and it looks like my error checking logic is less than stellar if something happens (i.e. for whatever reason, the request doesn't work). I've got a fix in the works that should ensure you never end up in your situation (empty "latest version" and "safe version" values), but in the meantime, try deactivating and reactivating the plugin. That should clear your data and then request those values again (on reactivation) - so, assuming the reason the request didn't work last time is not persistent, you should get good data.

    I should have an update out that does a better job of handling this tomorrow sometime.

    Thanks!

  19. sneader
    Member
    Posted 2 years ago #

    Bingo -- you are right! Deactivate/Activate made it see that the latest version is 2.8.2! Thanks!!

  20. sneader
    Member
    Posted 2 years ago #

    Hi Peter. I am being offered the 1.4.3, but even after upgrading, when I scan on this one particular WP install, it still shows my two old Timthumb installs (v 1.12 and v1.09) as "Up to Date". Thoughts?

    This is a small, non-critical WP install -- if it would help you to be able to log in and look for yourself, I'd be happy to let you in.

  21. sneader
    Member
    Posted 2 years ago #

    I deactivated 1.43, then reactivated, and it now sees that these are old and vulnerable.

  22. Peter Butler
    Member
    Plugin Author

    Posted 2 years ago #

    Hey Sneader - On the site that had the problem most recently - did you upgrade to 1.42, have the problem, and then upgrade to 1.43, and continue seeing it until deactivating/reactivating?

  23. sneader
    Member
    Posted 2 years ago #

    Yes. I'm going to try some more, but I have a feeling it was a left-over issue from trying the various upgrades... I bet folks that start with 1.43 aren't going to see this.

  24. Peter Butler
    Member
    Plugin Author

    Posted 2 years ago #

    I'm guessing (hoping) that's the case, as I'm running out of ideas for how that could happen. Still - keep me updated if you run into the issue (or any other issue) - it's a big help to me.

    Thanks!

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic