

Zero-day Wordpress exploit on the loose - Patch your themes immediately. - whackberry
http://zefonseca.com/blogs/zen/the-timthumb-php-vulnerability/

======
frankacter
Just for clarification, this is NOT a Wordpress exploit, this is an issue with
an external image resizing script timthumb.php which is used in many popular
themes.

~~~
whackberry
Of course, good clarification. "Wordpress" in the title means to call
attention that this plugin runs under Wordpress, so anyone running it should
check their filesystems for this file.

This...

find . -name timthumb.php

...should help.

~~~
nikcub
that won't do. the script has been renamed in a lot of themes it has been
included in. try something like:

    
    
        $ grep -rH "(strpos (strtolower ($url_info" /path/to/wordpress
    

if you are auditing PHP code, strpos is good to look out for, since it is
often misused such as the case here. strpos will evaluate to true is the
needle is match anywhere in the haystack, so things like:

    
    
        if(strpos(strtolower($username), 'admin'))
    

will match username 'test.admin' etc.

~~~
whackberry
great tips. appreciate that, thanks for sharing.

