[Plugin: Boxer] Please correct a security risk

  • marikamitsos

    (@marikamitsos)


    13 years ago

    Hello and thank you for an excellent plugin,
    We use Boxer v1.15
    Two days ago we received an email from our provider stating:

    This is a courtesy notice that we have found and corrected exploitable timthumb.php file on your account While we have corrected these files, we do recommend you ensure all potential exploits are corrected on your account. This is best done by updating all scripts, plugins, modules and themes on your account to the latest version.

    The timthumb.php file is a script commonly used in WordPress’s (and other software’s) themes and plugins to resize images. The exploit allows an attacker to arbitrarily upload and create files and/or folders on your account, which can then be used for a number of malicious tasks, including but not limited to defacement, browser high-jacking and infection, data harvesting and more. After a site has been exploited, it may lead to becoming labeled a “Malicious Website” by Google or other security authorities.

    Any timthumb.php file below version 1.35, but above version 1.09 is considered vulnerable. To prevent being compromised, we advise you update all instances of timthumb.php to version 2.0, or patch the existing vulnerable files. Note that patching the files requires more in-depth knowledge of the PHP scripting language.

    The updated version of timthumb.php can be found here:

    https://timthumb.googlecode.com/svn/trunk/timthumb.php

    We have automatically patched the files for you:

    Additional information regarding the compromise can be found at the following two websites, as well as others; note that all external websites in this email are for your reference only.

    https://markmaunder.com/2011/08/01/zero-day-vulnerability-in-many-wordpress-themes/
    https://redleg-redleg.blogspot.com/2011/08/malware-hosted-newportalsecom.html

    As stated above the risk is only temporarily fixed by patching the file.
    Can you please look into it and update your files?

    Thanks again for your excellent plugin and your time,
    marikamitsos

    https://www.ads-software.com/extend/plugins/boxer/

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter marikamitsos

    (@marikamitsos)

    After closer examination I noticed that the timthump version you include in your Boxer v1.15 is timthump.php version 2.8.2
    So this should not compromise security.
    Could you please confirm that? In any other case I would have talk to our provider and ask them why the alert was sent.

    Thank you.

    Plugin Author Coding Our Web

    (@codingourweb)

    You are right. According to the statement you are not at risk

    Thread Starter marikamitsos

    (@marikamitsos)

    Thank you guys,
    Now I have to see what triggered our host providers for such an action.
    Thanks again. Great work. ??

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘[Plugin: Boxer] Please correct a security risk’ is closed to new replies.