Image Manipulation Script Vulnerabilities

Yesterday, Mark Maunder published a blog post making people aware of a vulnerability in the popular PHP image manipulation script TimThumb. Anyone that uses TimThumb should definitely read that article to make sure that the vulnerability gets patched. Almost a year ago, though, I posted (and I was far from the first) about a vulnerability in another extremely popular PHP image manipulation script; phpThumb.

WebShell Hack – An Update

A few weeks ago, I wrote about the fact that one of my website’s was hacked and exploited by a script apparently known as “WebShell by oRB”. At the time, I was hoping that the issue had been fixed, but I quickly learned that it hadn’t. At least once each day, the hack re-appeared on our website in different ways through different files.

After a bit more research into the matter, I found that the issue seems to be related to a vulnerability in phpThumb, a widely-used PHP script that dynamically resizes and manipulates images. The vulnerability was identified as early as 5 years ago according to some reports. Unfortunately, the developers of phpThumb have yet to do anything about it.

Using TimThumb with WordPress MU

A few days ago, I saw a post on Smashing Magazine outlining ten tips to give your WordPress blog a little more personality. While most of the tips don’t really apply to the blogs on which I’m currently working, tip number two piqued my interest.

Tip number two explains how to display a list of “related posts” at the bottom of each post, and tells you how to add icons to each of those related posts. Unfortunately, when I attempted to implement the tip on one of my WordPress MU blogs, I found that it didn’t work for a few reasons.

  1. The tip uses a meta element called “post-img” which, as I’ve found since attempting to implement the tip, isn’t a standard WordPress element.
  2. TimThumb doesn’t work with WordPress MU out-of-the-box.

So, I set out trying to figure out how I should implement the tip. Following are the results of my tinkering.