Timthumb Vulnerability Scanner

Version Description

Release Info

Developer	peterebutler
Plugin	Timthumb Vulnerability Scanner
Version	1.42
Comparing to
See all releases

Code changes from version 1.41 to 1.42

Files changed (4) hide show

cg-tvs-admin-panel-display.php +121 -0
class-cg-tvs-filescanner.php +95 -0
class-cg-tvs-plugin.php +264 -0
timthumb-vulnerability-scanner.php +1 -1

cg-tvs-admin-panel-display.php ADDED Viewed

	@@ -0,0 +1,121 @@


1	+ <div class="wrap">
2	+ <h2>Timthumb Scanner</h2>
3	+ <div style="width:65%;float:left">
4	+ <div class="postbox metabox-holder" >
5	+ <h3 class="hndle">1. Scan</h3>
6	+ <form action="" method="post">
7	+ <input type="hidden" name="cg-tvs-action" value="scan">
8	+ <div class="inside">
9	+ <p>When you click "Scan", we'll scan all of the php in your wp-content directory looking for the timthumb script. We'll check the version of every found file to see if the file is outdated or unsafe. Outdated or unsafe files can be 1 click updated to the latest version.</p>
10	+ <p style="text-align:center;padding-top:15px;"><input type="submit" class="button-primary" value="Scan!"></p>
11	+ </div>
12	+ </form>
13	+ </div>
14	+ <h3>Scan Results</h3>
15	+ <?php if($this->last_scan == 0): ?>
16	+ <p>It doesn't look like you've run a scan yet. Click the "Scan!" button above to get started.</p>
17	+ <?php else: ?>
18	+ <p>The latest version of the Timthumb script is <strong><?php echo $this->script_latest_version; ?></strong>. The oldest safe version is version <strong><?php echo $this->script_safe_version; ?></strong>. Last scan run <?php echo human_time_diff($this->last_scan) ?> ago.</p>
19	+ <form action="" method="post">
20	+ <input type="hidden" name="cg-tvs-action" value="fix">
21	+ <?php wp_nonce_field( 'fix_timthumb_files'); ?>
22	+ <table class="widefat">
23	+ <thead>
24	+ <tr>
25	+ <th class="manage-column column-cb check-column" id="cb"><input type="checkbox"></th>
26	+ <th>Status</th>
27	+ <th>Version</th>
28	+ <th>Filename</th>
29	+ <th>Full Path</th>
30	+ </tr>
31	+ </thead>
32	+ <?php if(empty($this->script_instances)): ?>
33	+ <tr>
34	+ <td colspan="5" style="text-align:center"><strong style="color:forestgreen">No instances of timthumb were found on your server.</strong></td>
35	+ </tr>
36	+ <?php else: ?>
37	+ <?php foreach($this->script_instances as $key=>$instance): ?>
38	+ <tr class="<?php if($alternate > 0){ echo 'alternate'; $alternate = -1; }else{ $alternate = 1; } ?>">
39	+ <?php if($this->get_version_status($instance['version']) == 'Up to Date'): ?>
40	+ <th scope="row" class="check-column"> </th>
41	+ <?php else: ?>
42	+ <th scope="row" class="check-column"><input type="checkbox" name="fix[]" value="<?php echo $key; ?>"></td>
43	+ <?php endif; ?>
44	+ <td><?php echo $this->display_version_status($instance['version']); ?></td>
45	+ <td><?php echo $instance['version']; ?></td>
46	+ <td><?php echo basename($instance['path']); ?></td>
47	+ <td><?php echo $instance['path']; ?></td>
48	+ </tr>
49	+ <?php endforeach; ?>
50	+ <?php endif; ?>
51	+ </table>
52	+ <p>
53	+ <input type="submit" class="button-primary" value="Upgrade Selected Files">
54	+ </p>
55	+ </form>
56	+ <?php endif; ?>
57	+
58	+ <?php if(!empty($this->suspicious_files)): ?>
59	+ <h3 style="color:#ff0000">Suspicious Files</h3>
60	+ <p>These files likely indicate that hackers have <strong>already</strong> compromised your system. They should be deleted. Please note: No files listed here does <strong>NOT</strong> guarantee you haven't already been compromised, but files listed here almost certainly means you have.</p>
61	+ <p>If your server has been compromised, your best bet is to hire a professional to clean your site up (<a href="http://codegarage.com/hack-cleanup">Click here for more info</a> - even if all you want is a little advice).</p>
62	+ <table class="widefat">
63	+ <thead>
64	+ <tr>
65	+ <th>Filename</th>
66	+ <th>Full Path</th>
67	+ </tr>
68	+ </thead>
69	+ <?php foreach($this->suspicious_files as $key=>$file): ?>
70	+ <tr class="<?php if($alternate > 0){ echo 'alternate'; $alternate = -1; }else{ $alternate = 1; } ?>">
71	+ <td><?php echo basename($file); ?></td>
72	+ <td><?php echo $file; ?></td>
73	+ </tr>
74	+ <?php endforeach; ?>
75	+ </table>
76	+ <?php if(empty($this->suspicious_files)): ?>
77	+ <p><strong>Worried that you're already hacked?</strong> <a href="http://codegarage.com/hack-cleanup">Get in touch with me</a>.</p>
78	+ <?php endif; ?>
79	+ <?php endif; ?>
80	+
81	+ </div>
82	+ <div style="float:right;width:33%;">
83	+ <div class="postbox metabox-holder" style="padding-top:0px">
84	+ <h3 class="hndle" style="text-align:center"><a href="http://codegarage.com/"><img src="<?php echo WP_PLUGIN_URL; ?>/<?php echo basename( dirname( __FILE__ ) ); ?>/locker_logo.png"></a></h3>
85	+ <div class="inside">
86	+ <p><strong>Tired of worrying about your WordPress sites?</strong></p>
87	+ <p><a href="http://codegarage.com" target="_blank" >Locker</a> from <a href="http://codegarage.com/" target="_blank" >Code Garage</a> provides rock solid daily backups and hack monitoring and cleanup (for malicious code and vulnerabilities like this one), as well as personal, one on one support when you need it. Plans start at $15/month for 10 sites.</p>
88	+ <p style="text-align:center;padding-top:15px;"><a href="http://codegarage.com/" target="_blank" class="button-primary">Click here to learn more</a></p>
89	+ </div>
90	+ </div>
91	+
92	+ <div class="postbox metabox-holder" style="padding-top:0px">
93	+ <h3 class="hndle" >CodeGarage Security Newsletter</h3>
94	+ <div class="inside">
95	+ <p>Stay up to date on best practices and stay ahead of new vulnerabilities that could threaten your site.</p>
96	+ <!-- Begin MailChimp Signup Form -->
97	+ <style type="text/css">
98	+ #mce-EMAIL{background:#fff;
99	+ border:1px solid #ccc;
100	+ padding:5px;
101	+ font-size:14px;
102	+ width:90%;
103	+ margin-bottom:10px; }
104	+ /* Add your own MailChimp form style overrides in your site stylesheet or in this style block.
105	+ We recommend moving this block and the preceding CSS link to the HEAD of your HTML file. */
106	+ </style>
107	+ <div id="mc_embed_signup">
108	+ <form action="http://codegarage.us1.list-manage1.com/subscribe/post?u=18eaf7659266bae84144eef88&id=0029c09237" method="post" id="mc-embedded-subscribe-form" name="mc-embedded-subscribe-form" class="validate" target="_blank">
109	+ <label for="mce-EMAIL"></label>
110	+ <div style="text-align:center;margin-bottom:15px;">
111	+ <input type="email" value="" name="EMAIL" class="email" id="mce-EMAIL" placeholder="email address" required>
112	+ <input type="submit" value="Subscribe" name="subscribe" id="mc-embedded-subscribe" class="button-secondary">
113	+ </div>
114	+ </form>
115	+ <!--End mc_embed_signup-->
116	+ </div>
117	+ </div>
118	+ </div>
119	+ </div>
120	+ </div>
121	+

class-cg-tvs-filescanner.php ADDED Viewed

	@@ -0,0 +1,95 @@


1	+ <?php
2	+
3	+ class CG_FileScanner {
4	+
5	+ public $base_dir;
6	+ public $errors;
7	+ public $inventory;
8	+ public $instances;
9	+ public $suspicious_files;
10	+
11	+ function __construct( $base_dir ) {
12	+ if ( is_file( $base_dir ) \|\| is_dir( $base_dir ) ) {
13	+ $this->base_dir = $base_dir;
14	+ } else {
15	+ die();
16	+ }
17	+ }
18	+
19	+ function generate_inventory() {
20	+ $this->inventory = $this->get_dir_contents( $this->base_dir, true );
21	+ }
22	+
23	+ function get_dir_contents( $path ) {
24	+ $inventory = array();
25	+ if ( ! $dir_handle = @opendir( $path ) ) {
26	+ $this->errors[] = "Couldn't open $path";
27	+ return false;
28	+ }
29	+ while ( $file = readdir( $dir_handle ) ) {
30	+ if ( $file == '.' \|\| $file == '..' ) continue;
31	+ if ( is_dir( $path . '/' . $file ) ) {
32	+ $inventory = @array_merge( $inventory, $this->get_dir_contents( $path . '/' . $file ) );
33	+ } else {
34	+ $inventory[] = $path . '/' . $file;
35	+ }
36	+ }
37	+ closedir( $dir_handle );
38	+ return $inventory;
39	+ }
40	+
41	+
42	+ function scan_inventory_timthumb() {
43	+ foreach( $this->inventory as $path ) {
44	+ $path_parts = pathinfo( $path );
45	+ // Don't scan this plugin's files
46	+ if( preg_match( '~^' . dirname(__FILE__) . "~", $path ) ) {
47	+ continue;
48	+ }
49	+ if( $path_parts['extension'] == 'php' ) {
50	+ if( $file_handle = @fopen( $path, 'r' ) ) {
51	+ $contents = @fread( $file_handle, filesize( $path ) );
52	+ if ( preg_match( "~TimThumb script created by Tim McDaniels and Darren Hoyt\|TimThumb script created by Ben Gillbanks\, originally created by Tim McDaniels and Darren Hoyt\|TimThumb by Ben Gillbanks~", $contents ) ) {
53	+ // We have a timthumb script. Now check to see what version it is.
54	+ preg_match( "~define\s\(\s[\'\|\"]VERSION[\'\|\"],\s[\'\|\"]([^\'\|\"])~", $contents, $matches );
55	+ $instance['path'] = $path;
56	+ if(!empty($matches[1])){
57	+ $instance['version'] = $matches[1];
58	+ }else{
59	+ $instance['version'] = 0;
60	+ }
61	+ $this->instances[] = $instance;
62	+ unset($instance);
63	+ }
64	+ }
65	+ }
66	+ }
67	+ }
68	+
69	+ function check_for_intrusion_files(){
70	+ // This is far from foolproof. All we're going to do is
71	+ // look at each copy of timthumb, and check for a cache folder in the same directory
72	+ // then look for php files inside of that.
73	+ // This could be improved to try to actually read the DIRECTORY_CACHE constant
74	+ // from each timthumb file, assuming they haven't already been altered.
75	+ // I don't know how common it is to actually alter this value.
76	+ if(!empty($this->instances)){
77	+ foreach($this->instances as $instance){
78	+ if(is_dir(dirname($instance['path']).'/cache')){
79	+ // We have a cache dir. Run through the cache files
80	+ // to see if we have any php files.
81	+ $cache_files = $this->get_dir_contents(dirname($instance['path']).'/cache');
82	+ foreach($cache_files as $cache_file){
83	+ $path_parts = pathinfo($cache_file);
84	+ if($path_parts['extension'] == 'php' && $path_parts['basename'] != 'index.php'){
85	+ $this->suspicious_files[] = $cache_file;
86	+ echO "FOUND SUSPICIOUS FILE";
87	+ }
88	+ }
89	+ }
90	+ }
91	+ }
92	+ }
93	+
94	+ }
95	+ ?>

class-cg-tvs-plugin.php ADDED Viewed

	@@ -0,0 +1,264 @@


1	+ <?php
2	+
3	+ class CG_TVS_Plugin{
4	+
5	+ var $script_latest_version;
6	+ var $script_safe_version;
7	+ var $last_version_check;
8	+
9	+ var $last_scan;
10	+ var $script_instances;
11	+ var $suspicious_files;
12	+
13	+ var $plugin_base;
14	+
15	+ var $current_timthumb_src_version;
16	+
17	+ function init(){
18	+ $storage_array = get_option( 'cg_tvs_data' );
19	+ if(is_array($storage_array)){
20	+ $this->script_latest_version = $storage_array['script_latest_version'];
21	+ $this->script_safe_version = $storage_array['script_safe_version'];
22	+ $this->last_version_check = $storage_array['last_version_check'];
23	+
24	+ $this->script_instances = $storage_array['script_instances'];
25	+ $this->suspicious_files = $storage_array['suspicious_files'];
26	+ $this->last_scan = $storage_array['last_scan'];
27	+
28	+ }else{
29	+ $this->script_latest_version = '2.8.2';
30	+ $this->script_safe_version = '2.8.2';
31	+ $this->last_version_check = 0;
32	+
33	+ $this->script_instances = array();
34	+ $this->suspicious_files = array();
35	+ $this->last_scan = 0;
36	+ $this->save();
37	+ }
38	+ if($this->last_version_check < time()-86400){
39	+ $this->get_fresh_data();
40	+ $this->save();
41	+ }
42	+ $this->plugin_base_dir = trailingslashit(dirname(__FILE__));
43	+ if(!is_writeable($this->plugin_base_dir)){
44	+ $this->show_message('The plugin directory (at '.$this->plugin_base_dir.') is not writeable. Because of this, we can\'t download an updated copy of timthumb to use. Try changing permissions on this directory to 755 (or in certain cases, 777)', 'error');
45	+ }
46	+ }
47	+
48	+ function add_menus(){
49	+ add_management_page( 'Timthumb Scanner', 'Timthumb Scanner', 'manage_options', 'cg-timthumb-scanner', array(&$this, 'admin_panel_controller' ) );
50	+ }
51	+
52	+
53	+ function activate(){
54	+ $this->init();
55	+ delete_option( 'cg_tvs_last_checked' );
56	+ delete_option( 'cg_tvs_vulnerable_files' );
57	+ delete_option( 'cg_tvs_safe_files' );
58	+ }
59	+
60	+ function deactivate(){
61	+ delete_option( 'cg_tvs_data' );
62	+ }
63	+
64	+ function get_fresh_data(){
65	+ include_once(ABSPATH . WPINC . '/class-IXR.php');
66	+ $ixr_client = new IXR_Client('http://codegarage.com/comm.php');
67	+ if(!$ixr_client->query('request.TimthumbInfo')){
68	+ // request failed. Handle this.
69	+ $this->show_message('Updated script information request failed.');
70	+ }else{
71	+ $response = $ixr_client->getResponse();
72	+ $this->script_latest_version = $response['latest_version'];
73	+ $this->script_safe_version = $response['safe_version'];
74	+ }
75	+ $this->last_version_check = time();
76	+ }
77	+
78	+ function scan( $scan_base = WP_CONTENT_DIR ){
79	+ require_once 'class-cg-tvs-filescanner.php';
80	+ $scanner = new CG_FileScanner( $scan_base );
81	+ $scanner->generate_inventory();
82	+ $scanner->scan_inventory_timthumb();
83	+ $scanner->check_for_intrusion_files();
84	+ $this->last_scan = time();
85	+ $this->script_instances = $scanner->instances;
86	+ $this->suspicious_files = $scanner->suspicious_files;
87	+ $this->show_message('Scan completed.');
88	+ $this->save();
89	+ }
90	+
91	+ function get_version_float($version){
92	+ // Convert version string into a float
93	+ $version_parts = explode('.', $version);
94	+ $version = $version_parts[0].'.';
95	+ for( $position = 1; $position<count($version_parts); ++$position ){
96	+ $version .= $version_parts[$position];
97	+ }
98	+
99	+ return floatval($version);
100	+
101	+ }
102	+
103	+ function get_version_status($version){
104	+ $version = $this->get_version_float($version);
105	+ if( $version < $this->get_version_float($this->script_safe_version) ){
106	+ return "Vulnerable";
107	+ }
108	+ if( $version < $this->get_version_float($this->script_latest_version) ){
109	+ return "Outdated";
110	+ }else{
111	+ return "Up to Date";
112	+ }
113	+ }
114	+ function display_version_status($version){
115	+ $status = $this->get_version_status($version);
116	+ switch($status){
117	+ case 'Vulnerable':
118	+ return "<span style='color:red'>Vulnerable</span>";
119	+ break;
120	+ case 'Outdated':
121	+ return "<span style='color:#FFCC00'>Outdated</span>";
122	+ break;
123	+ case 'Up to Date':
124	+ return "<span style='color:forestgreen'>Up to Date</span>";
125	+ break;
126	+ }
127	+ }
128	+ function fix_file( $file, $backup = 'without-backup' ) {
129	+ if($backup == 'with-backup'){
130	+ $this->backup_file( $file );
131	+ }
132	+
133	+ if(FALSE === $latest_src = $this->get_timthumb_src()){
134	+ $this->show_message('We can\'t read updated timthumb source file, so we can\'t update the selected files. Try checking permissions on the plugin folder and the file "cg-tvs-timthumb-latest.txt", if it exists.');
135	+ }
136	+
137	+
138	+ if( FALSE !== $fw = @fopen( $file, 'w' ) ) {
139	+ if ( fwrite( $fw, $latest_src ) ) {
140	+ $this->show_message( 'File <strong>' . basename( $file ) . '</strong> at <em>' . $file . '</em> successfully upgraded.' );
141	+ } else {
142	+ $this->show_message( 'Unknown file write error.', true );
143	+ }
144	+ } else {
145	+ $this->show_message( 'CAN\'T OPEN VULNERABLE FILE FOR WRITING', true );
146	+ return;
147	+ }
148	+ }
149	+
150	+ function get_timthumb_src_version(){
151	+ $current_src = $this->get_timthumb_src();
152	+ preg_match( "~define\s\(\s[\'\|\"]VERSION[\'\|\"],\s[\'\|\"]([^\'\|\"])~", $current_src, $matches );
153	+ $this->current_timthumb_src_version = $matches[1];
154	+ }
155	+
156	+ function download_new_timthumb_src(){
157	+ $tmp_filename = download_url( 'http://timthumb.googlecode.com/svn/trunk/timthumb.php' );
158	+ if ( is_wp_error( $tmp_filename ) ) {
159	+ $this->show_message( 'Error downloading updated copy of timthumb.php. Can\'t fix outdated files.' );
160	+ return false;
161	+ }
162	+ @unlink($this->plugin_base_dir . 'cg-tvs-timthumb-latest.txt');
163	+ rename($tmp_filename, $this->plugin_base_dir . 'cg-tvs-timthumb-latest.txt');
164	+ @unlink($tmp_filename);
165	+ if(is_file($this->plugin_base_dir . 'cg-tvs-timthumb-latest.txt')){
166	+ $this->get_timthumb_src_version();
167	+ $this->show_message( 'Updated copy of timthumb downloaded successfully.' );
168	+ return true;
169	+ }else{
170	+ $this->show_message( 'Error downloading updated copy of timthumb.php. Can\'t fix outdated files.' );
171	+ return false;
172	+ }
173	+ }
174	+
175	+ function get_timthumb_src(){
176	+ $src_file_path = $this->plugin_base_dir . 'cg-tvs-timthumb-latest.txt';
177	+ if ( FALSE !== $fr = @fopen( $src_file_path, 'r' ) ) {
178	+ $latest_src = fread( $fr, filesize( $src_file_path ) );
179	+ fclose($fr);
180	+ } else {
181	+ return false;
182	+ }
183	+ return $latest_src;
184	+ }
185	+
186	+ function backup_file( $path ){
187	+ $backup_path = $this->plugin_base_dir . '/backups' . $path;
188	+ wp_mkdir_p( dirname( $backup_path ) );
189	+ copy($path, $backup_path);
190	+ }
191	+
192	+ function save(){
193	+ $storage_array['script_latest_version'] = $this->script_latest_version;
194	+ $storage_array['script_safe_version'] = $this->script_safe_version;
195	+ $storage_array['last_version_check'] = $this->last_version_check;
196	+
197	+ $storage_array['script_instances'] = $this->script_instances;
198	+ $storage_array['suspicious_files'] = $this->suspicious_files;
199	+ $storage_array['last_scan'] = $this->last_scan;
200	+
201	+ update_option( 'cg_tvs_data', $storage_array );
202	+
203	+ }
204	+
205	+ function show_message( $message, $error = false )
206	+ {
207	+ if ($error) {
208	+ echo '<div id="message" class="error">';
209	+ }
210	+ else {
211	+ echo '<div id="message" class="updated fade">';
212	+ }
213	+
214	+ echo "<p><strong>$message</strong></p></div>";
215	+ }
216	+
217	+ function admin_panel_controller(){
218	+ if ( ! current_user_can( 'manage_options' ) ) {
219	+ wp_die( __( 'You do not have sufficient permissions to access this page.' ) );
220	+ }
221	+ $this->init();
222	+
223	+ if ( isset( $_REQUEST['cg-tvs-action'] ) ) {
224	+ switch ( $_REQUEST['cg-tvs-action'] ) {
225	+ case 'scan':
226	+ $this->scan();
227	+ break;
228	+ case 'fix':
229	+ $this->get_timthumb_src_version();
230	+ if($this->get_version_float($this->current_timthumb_src_version) < $this->script_latest_version){
231	+ $this->download_new_timthumb_src();
232	+ }
233	+ if ( wp_verify_nonce( $_POST['_wpnonce'], 'fix_timthumb_files' ) ) {
234	+ if( is_array( $_POST['fix'] ) && !empty( $_POST['fix'] ) ){
235	+ foreach( $_POST['fix'] as $file_id ) {
236	+ $this->fix_file( $this->script_instances[intval($file_id)]['path'] );
237	+ }
238	+ }
239	+ $this->scan(); // Re-scan site
240	+ }
241	+ break;
242	+ case 'fixall':
243	+ $nonce = $_GET['_wpnonce'];
244	+ if ( wp_verify_nonce( $nonce, 'fix_all_timthumb_files' ) ) {
245	+ $vulnerable_files = $this->get_vulnerable_files();
246	+ if ( is_array( $vulnerable_files ) && ! empty( $vulnerable_files ) ) {
247	+ foreach ( $vulnerable_files as $file ) {
248	+ $this->fix_file( $file );
249	+ }
250	+ $this->scan(); // Re-scan site
251	+ }
252	+ }
253	+ break;
254	+ }
255	+ }
256	+
257	+ if(!empty($this->suspicious_files)){
258	+ $this->show_message('<strong>Oh no!</strong> Files on your site indicate that your server has already been compromised by the timthumb vulnerability. <a href="http://codegarage.com/hack-cleanup">Get help here</a>', 'error');
259	+ }
260	+
261	+ include_once 'cg-tvs-admin-panel-display.php';
262	+ }
263	+
264	+ }

timthumb-vulnerability-scanner.php CHANGED Viewed

	@@ -4,7 +4,7 @@ Plugin Name: TimThumb Vulnerability Scanner
4	Plugin URI: http://codegarage.com/blog/2011/09/wordpress-timthumb-vulnerability-scanner-plugin-1.4/
5	Description: Keep your instances of Timthumb up to date and free from vulnerabilities simply. Bonus - checks for obvious signs of compromised sites.
6	Author: Peter Butler
7	- Version: 1.41
8	Author URI: http://codegarage.com/
9	*/
10


4	Plugin URI: http://codegarage.com/blog/2011/09/wordpress-timthumb-vulnerability-scanner-plugin-1.4/
5	Description: Keep your instances of Timthumb up to date and free from vulnerabilities simply. Bonus - checks for obvious signs of compromised sites.
6	Author: Peter Butler
7	+ Version: 1.42
8	Author URI: http://codegarage.com/
9	*/
10

Timthumb Vulnerability Scanner - Version 1.42

Version Description

Release Info

Code changes from version 1.41 to 1.42