WordPress blogs security put under risk due to third party scripts

According to a report, thousands of WordPress installations are at risk of being compromised because of a critical vulnerability in a popular third-party image manipulation script called timthumb.

The affected image utility is not part of the main WordPress package, but is incorporated in many popular WordPress themes. The script consists of a single file called timthumb.php and facilitates on-the-fly image cropping, zooming and resizing.

Timthumb defines a white list of remote domain names from which images can be fetched by default, which include popular image hosting web sites like Flickr.com, Picasa.com, Blogger.com, WordPress.com, Photobucket.com and others.

However, the script fails to validate these domain names properly, so it lets files be fetched from nasty hosts that include those strings in their URLs. For example, files from http://flickr.com.maliciousdomain.com are accepted because flickr.com is in the URL, even though it is not the actual domain name.

Continue reading @theinquirer.net

By | On Wednesday, August 3rd, 2011 | Under News, Security | No Comments ยป


Contact our experts, most of the time we assist our readers free of charge.

Those who found this page were searching for:

  • http://flickr.com.maliciousdomain.com
  • put A under risk
  • put A under risk
  • blogging+what are third party scripts?
  • risk third party script on secure pages
  • third party scripts security
  • remove powered wordpress
  • you may also like script for blogger
  • security of third party scripting
  • security risks with third-party scripts

Previous post:

Next post: