Hi,
http://seclists.org/fulldisclosure/2014/Jun/117
Is this something a modsec rule can handle ?
Eli.
Wordpress TimThumb 2.8.13 WebShot Remote Code Execution
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Wordpress TimThumb 2.8.13 WebShot Remote Code Execution
Thank for the question. Yes, a rule can stop this, and you're already protected if you use our rules. Our timthumb protection rules already stopped this, so no new rule was necessary. Our timthumb protection rules look for non-image uploads in the src arg, so this is already rejected.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Wordpress TimThumb 2.8.13 WebShot Remote Code Execution
Mike:
On a related note, what is your take on running Wordpress as a CMS in production?
Assuming ASL is installed, is it reasonably secure? I'd assume so but was curious if you didn't recommend using it in general.
If not, do you have a preferred CMS?
On a related note, what is your take on running Wordpress as a CMS in production?
Assuming ASL is installed, is it reasonably secure? I'd assume so but was curious if you didn't recommend using it in general.
If not, do you have a preferred CMS?
Re: Wordpress TimThumb 2.8.13 WebShot Remote Code Execution
WP is OK as a CMS. At least it is easy for the end user to update, add pages and stuff. It is pretty heavy though and pages tend to be massively full of code, both HTML and JavaScript.
Oddly, on my systems, only two out of ten WP installations have a timthumb.php
And please don't misread what that file says. webshots is not disabled by default. It is only disabled if not defined elsewhere, including via an argument. It is best to add a hard disable underneath the if(!defined...) line.
i.e. underneath
add
Please note that I don't know if this is the recommended/correct way. It is just the way I did it.
Oddly, on my systems, only two out of ten WP installations have a timthumb.php
And please don't misread what that file says. webshots is not disabled by default. It is only disabled if not defined elsewhere, including via an argument. It is best to add a hard disable underneath the if(!defined...) line.
i.e. underneath
Code: Select all
if(! defined('WEBSHOT_ENABLED') ) define ('WEBSHOT_ENABLED', false);
Code: Select all
define ('WEBSHOT_ENABLED', false);
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Wordpress TimThumb 2.8.13 WebShot Remote Code Execution
You are correct. With ASL installed, WordPress is reasonably secure.Assuming ASL is installed, is it reasonably secure? I'd assume so but was curious if you didn't recommend using it in general.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Wordpress TimThumb 2.8.13 WebShot Remote Code Execution
Great, thanks for the comments about Wordpress.