Mark Maunder, CEO of Seattle-based technology firm Feedjit, discovered the flaw after his own blog was hacked to load advertising content, Maunder wrote in a blog post Monday. He ended up tracing the issue back to TimThumb, which he uses on his blog.
The utility, a PHP script employed for image cropping, zooming and resizing web images, “is inherently insecure because it relies on being able to write files into a directory that is accessible by people visiting your website,” Maunder said. “That's never a good idea.”
As a result of the flaw, an attacker could upload files and execute code on an affected site without the owner's permission.
The latest version of the utility, TimThumb 1.33, is affected by the issue. Its developer, Ben Gillbanks, is working on a fix after his own site also was hacked using the same method, Maunder said.
He provided instructions for disabling the utility's ability to load images from external sites, which is one way to resolve the issue.