Now, this could simply mean that the scripts used to automatically scan for TimThumb files have a difficult time distinguishing a URL path mentioned in a blog from an actual file. However, there was one Russian-based IP that seemed to try harder than others to find a vulnerability to exploit, and one file path in particular happened to catch my eye:
As you can see, the attacker was looking for a file by the name of picaPhotoResize.php, which is associated with the PICA Photo Gallery Plugin for WordPress. (Not installed)
It turns out that the PICA Photo Gallery Plugin for WordPress suffers from not one, but two vulnerabilities that can be exploited to disclose sensitive information or upload malicious files.
These security flaws were discovered back in June of 2012, and there’s no indication that they were ever fixed – a disappointment considering this is a $50 plugin!
From Secunia Advisory SA49467:
1) Input passed to the “imgname” parameter in wp-content/plugins/pica-photo-gallery/picadownload.php is not properly verified before being used to download files. This can be exploited to disclose the contents of arbitrary files via directory traversal attacks.
2) An error due to the wp-content/plugins/pica-photo-gallery/picaPhotosResize.php script allowing the upload of files with arbitrary extensions to a folder inside the webroot can be exploited to execute arbitrary PHP code by uploading a malicious PHP script.
The above vulnerabilities were confirmed in PICA Photo Gallery version 1.0, but later versions may be affected. The latest version is 1.3 at the time of writing.
To protect their site, PICA Photo Gallery users are advised to:
- Edit the source code for picadownload.php to ensure that input is properly verified.
- Restrict access to the wp-content/plugins/pica-photo-gallery/picaPhotosResize.php script (e.g. via .htaccess).
Or just remove the plugin altogether.
I’ve reached out to the developers of this plugin to find out if these vulnerabilities were ever addressed, and when users can expect a patch if not. I’ll update this post when I hear back. Until then, watch out for hack attempts!