Wordpress TimThumb 2.8.13 WebShot Remote Code Execution

Customer support forums for the modsecurity rules feed. There is no such thing as a bad question here as long as it pertains to using the real time modsecurity rules feed. Newbies feel free to get help getting started or asking questions that may be obvious.
elialum
Forum User
Forum User
Posts: 22
Joined: Fri Jun 17, 2011 10:56 am
Location: Israel

Wordpress TimThumb 2.8.13 WebShot Remote Code Execution

Unread post by elialum »

Hi,

http://seclists.org/fulldisclosure/2014/Jun/117

Is this something a modsec rule can handle ?

Eli.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Wordpress TimThumb 2.8.13 WebShot Remote Code Execution

Unread post by mikeshinn »

Thank for the question. Yes, a rule can stop this, and you're already protected if you use our rules. Our timthumb protection rules already stopped this, so no new rule was necessary. Our timthumb protection rules look for non-image uploads in the src arg, so this is already rejected.
Imaging
Forum Regular
Forum Regular
Posts: 346
Joined: Sat Sep 25, 2010 2:46 pm

Re: Wordpress TimThumb 2.8.13 WebShot Remote Code Execution

Unread post by Imaging »

Mike:

On a related note, what is your take on running Wordpress as a CMS in production?

Assuming ASL is installed, is it reasonably secure? I'd assume so but was curious if you didn't recommend using it in general.

If not, do you have a preferred CMS?
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Wordpress TimThumb 2.8.13 WebShot Remote Code Execution

Unread post by faris »

WP is OK as a CMS. At least it is easy for the end user to update, add pages and stuff. It is pretty heavy though and pages tend to be massively full of code, both HTML and JavaScript.

Oddly, on my systems, only two out of ten WP installations have a timthumb.php
And please don't misread what that file says. webshots is not disabled by default. It is only disabled if not defined elsewhere, including via an argument. It is best to add a hard disable underneath the if(!defined...) line.

i.e. underneath

Code: Select all

if(! defined('WEBSHOT_ENABLED') )       define ('WEBSHOT_ENABLED', false);
add

Code: Select all

define ('WEBSHOT_ENABLED', false);
Please note that I don't know if this is the recommended/correct way. It is just the way I did it.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Wordpress TimThumb 2.8.13 WebShot Remote Code Execution

Unread post by mikeshinn »

Assuming ASL is installed, is it reasonably secure? I'd assume so but was curious if you didn't recommend using it in general.
You are correct. With ASL installed, WordPress is reasonably secure.
Imaging
Forum Regular
Forum Regular
Posts: 346
Joined: Sat Sep 25, 2010 2:46 pm

Re: Wordpress TimThumb 2.8.13 WebShot Remote Code Execution

Unread post by Imaging »

Great, thanks for the comments about Wordpress.
Post Reply