4 comments

[ 3.3 ms ] story [ 30.5 ms ] thread
Just for clarification, this is NOT a Wordpress exploit, this is an issue with an external image resizing script timthumb.php which is used in many popular themes.
Of course, good clarification. "Wordpress" in the title means to call attention that this plugin runs under Wordpress, so anyone running it should check their filesystems for this file.

This...

find . -name timthumb.php

...should help.

that won't do. the script has been renamed in a lot of themes it has been included in. try something like:

    $ grep -rH "(strpos (strtolower ($url_info" /path/to/wordpress
if you are auditing PHP code, strpos is good to look out for, since it is often misused such as the case here. strpos will evaluate to true is the needle is match anywhere in the haystack, so things like:

    if(strpos(strtolower($username), 'admin'))
will match username 'test.admin' etc.
great tips. appreciate that, thanks for sharing.