The vulnerability scanner should check whether the TimThumb version is the latest installed, and download and install the latest version, rather than use a static version.
Version 2.8 of TimThumb is just as insecure as anything older, it merely limits it to a few dozen domainname combinations, ripe for the taking of any half-capable domain squatter.
It would be nice if this software also changed the default for ALLOW_EXTERNAL from TRUE to FALSE, since that would alleviate the most common security issues with TimThumb.
While I haven’t reviewed the code changes myself, I trust the (many) people who have been involved in the work on timthumb since the vulnerability was discovered, and I trust when they say the vulnerability that has caused so many problems is solved in versions 2.0 and greater. I will, however, try to find some time to sit down and review the code to see if I can corroborate what you’re saying. I’d love more info on the particular vulnerability you’re referencing (half-capable domain squatters?), if you’ve got the time to share it (you can email me if you prefer – contact form on my site).
WIth that said, having the plugin download the latest version from google code isn’t a bad idea – I’ll give it some thought.
The goal of the plugin is not to make security decisions for people, it’s to make sure they’re aware of and have upgraded timthumb – so I’m not interested in switching default settings while upgrading.
The problem is publicly documented in issues 273 and 274 for TimThumb.
So it is. While the problem isn’t nearly the same magnitude that the original problem was (especially taking into account the extra security in how cached files are saved) it IS less than ideal. I’ll have the scanner update submitted by the end of the day. Thanks for alerting me to this!
Also, I think I read that by default, allow_external is now false, which solves your other concern.
I don’t, however, see a clear path for either of these problems to be used to actually gain access to a server, so implying that 2.7 is as insecure as ever is just not true (as far as I can tell). Can you theorize a hack that could get around the cache security settings in order to execute code on the server? I’d be interested to hear it.
Hi Peter. I noticed the latest update for the plug-in is 9/2/11, but your message above seened to indicate that the plug-in would be updated 4-5 days ago?
I am about to suggest this plugin to help some folks get updated, but want to wait until it’s updated, if possible.
Thanks for your work!!!
From what I’ve been reading at code.google.com you need to have at least version 2.8.2 of TimThumb to have the fix from issue 274. It’s unfortunate that multiple revisions have the same version number but it looks like either of the 2.8.2 revisions (r187 and r188 as of 11/2/2011) would be better than any previous version. Do you have plans to update this plugin for catching & patching versions < 2.8.2?
Hey Guys –
Sorry, I got wrapped up last week, and didn’t get to this. I’m working on it now, and I anticipate having the update online by the end of the day tomorrow.
Bob – Yes, I’ll set it up to patch anything earlier than the most recently available version.
Hi Peter, that’s awesome! So, let’s say someone installs this plug-in, and then a year from now, runs it again. Will it say they are up-to-date? Or will it know that there has since been another version? Actually, I suspect the plug-in may be updated in the future, and they’d get an indication that the plug-in itself needs to be updated?
I realize these questions are confusing… I guess I’m trying to avoid having a WP user think they are secure, when they may not be, just because the plug-in is old and isn’t aware of any new versions or issues. Maybe that’s not possible (in which case I’ll advice people to install the plug-in, scan, update/fix, and then just uninstall the plug-in)
Hey Guys –
Sorry I was so late on this – it ended up being a bigger update than I expected, but I’m pretty excited about the result.
Sneader, to answer your questions:
The way the plugin works now (as of version 1.4) is that it sends out a request to find out what the latest version of timthumb is (it checks this every time you load up the scanner page, but no more than once a day). If, based on that updated information, you have out of date code on your site, you’ll be notified, and you can automatically update to the latest version, which will be downloaded from the code’s official home at google code.
I really wanted to get this out today, so hopefully I didn’t rush it too much – if you notice anything wrong, please let me know.
Sweet, thanks Peter! I’ll install it on a few sites and let you know how it goes!
When I logged into WP, it notified me about the updated plug-in. (Cool!). When I did the automatic upgrade (which normally works fine for other plug-in upgrades), I received this event log & error:
Downloading update from http://downloads.wordpress.org/plugin/timthumb-vulnerability-scanner.zip…
Unpacking the update…
Installing the latest version…
Deactivating the plugin…
Removing the old version of the plugin…
Plugin updated successfully.
Reactivating the plugin…
Plugin failed to reactivate due to a fatal error.
Warning: include_once(class-cg-tvs-plugin.php) [function.include-once]: failed to open stream: No such file or directory in /home/cindscom/public_html/wp-content/plugins/timthumb-vulnerability-scanner/timthumb-vulnerability-scanner.php on line 11
Warning: include_once() [function.include]: Failed opening ‘class-cg-tvs-plugin.php’ for inclusion (include_path=’.:/usr/lib/php:/usr/local/lib/php’) in /home/cindscom/public_html/wp-content/plugins/timthumb-vulnerability-scanner/timthumb-vulnerability-scanner.php on line 11
That’s not good. I’ll see what I can find out.
My inexperience with SVN strikes again. Unfortunately, I managed to not add in a few files to the SVN repository. They’re in there now, in version 1.42 – but that might not update on wordpress.org for a few minutes (or maybe a few hours).
Thanks so much for pointing this out to me – who knows how long I would have gone before realizing.
Cool — I’ll watch for the update and when I see it I’ll give it a shot on a variety of sites (those that haven’t had the plug in before, those that have it, but need the update, and the one that errored out) and let you know how it goes!
Only seen the 1.42 on one of my sites so far, and the upgrade and scan went without a hitch. More to come…
- The topic ‘[Plugin: Timthumb Vulnerability Scanner] Does not use latest timthumb.php to "fix" problem’ is closed to new replies.