An attacker could inject malware and take down websites that have TimThumb's WebShot feature enabled.
An attacker could inject malware and take down websites that have TimThumb's WebShot feature enabled.

A zero-day remote code execution (RCE) vulnerability has been discovered in the “WebShot” feature of TimThumb, an image resizing utility commonly used on blogging platform WordPress, according to security company Sucuri.

TimThumb is a very simple and flexible PHP script used to resize images, Daniel Cid, CTO of Sucuri, told SCMagazine.com in a Thursday email correspondence, adding that he observed a few hundred thousand websites using it back in 2011, when a separate vulnerability was discovered.  

“Because [TimThumb] is so simple and easy to use, it is widely used by website owners, especially on WordPress themes and plug-ins,” Cid said. “The WebShot is a hidden feature on TimThumb that allows it to take screenshot of websites, instead of resizing images.”

Exploiting the flaw could enable an attacker to execute a multitude of commands on a vulnerable website, without authentication, Cid said, explaining that the attacker could inject spam or malware, deface the website, or simply take it down.

“An attacker can take advantage of this vulnerability directly from their browser,” Cid said, pointing to Tuesday post for more technical information. “It is very simple to trigger and all it takes is to pass a shell (linux) command instead of the URL to take the WebShot.”

Mitigating the vulnerability is as simple as deactivating the WebShot feature, Cid said, adding that while it comes disabled by default, some themes and plug-ins can enable it automatically.

Cid also suggested adding a simple line to the top of the TimThumb file – define (‘WEBSHOT_ENABLED', false); – for further protections against the bug.

Back in 2011, a flaw affecting TimThumb was being exploited by attackers to upload files and execute code on vulnerable websites, also without authentication. Disabling the utility's ability to load images from external sites was one way to resolve the issue.