Atomicorp

Hi,

http://seclists.org/fulldisclosure/2014/Jun/117

Is this something a modsec rule can handle ?

Eli.

Thank for the question. Yes, a rule can stop this, and you're already protected if you use our rules. Our timthumb protection rules already stopped this, so no new rule was necessary. Our timthumb protection rules look for non-image uploads in the src arg, so this is already rejected.

Mike:

On a related note, what is your take on running Wordpress as a CMS in production?

Assuming ASL is installed, is it reasonably secure? I'd assume so but was curious if you didn't recommend using it in general.

If not, do you have a preferred CMS?

WP is OK as a CMS. At least it is easy for the end user to update, add pages and stuff. It is pretty heavy though and pages tend to be massively full of code, both HTML and JavaScript.

Oddly, on my systems, only two out of ten WP installations have a timthumb.php
And please don't misread what that file says. webshots is not disabled by default. It is only disabled if not defined elsewhere, including via an argument. It is best to add a hard disable underneath the if(!defined...) line.

i.e. underneath add Please note that I don't know if this is the recommended/correct way. It is just the way I did it.

Assuming ASL is installed, is it reasonably secure? I'd assume so but was curious if you didn't recommend using it in general.

You are correct. With ASL installed, WordPress is reasonably secure.

Great, thanks for the comments about Wordpress.