SlideShare a Scribd company logo
1 of 8
Download to read offline
@ryo_apejp
timthumb.php



                  chrome
         google


timthumb.php
WordPress
wp-config.php



     Cleaning Up the TimThumb Hack | WP Theming
“wordpress.org”



■   WordPress › Support » Google issuing warnings about WP site: “content
■   from counter-wordpress.com”?
■   WordPress › Support » [TimThumb Vulnerability] iframe hack
     ”timthumb.php”




■   timthumb – image crop zoom resize management – Google Project Hosting
■   WPZOOM Support Forum – View topic – [Updated] IMPORTANT Security Fix
Make sure this constant is set to false:


define( 'ALLOW_EXTERNAL', false );
Before:

$allowedSites = array (
!   'flickr.com',
!   'picasa.com',
!   'img.youtube.com',
!   'upload.wikimedia.org',
);
After:

$allowedSites = array();
Theme and plugin authors should use the built-in WordPress functions such asadd_image_size to resize images.


Vulnerability Found in timthumb.php | VaultPress Blog 
◦
    ◦
•
•                 grep
•
    ◦ JPCERT                         Adobe Reader        Acrobat
                   https://www.jpcert.or.jp/at/2012/at120003.html
    ◦ JPCERT/CC
•
•
WordPress Timthumb



Timthumb Vulnerability Scanner for WordPress
コードの脆弱性の恐怖と対応

More Related Content

What's hot

Assignment 2 word press digi skill
Assignment 2 word press digi skillAssignment 2 word press digi skill
Assignment 2 word press digi skillNaumanMalik30
 
Introduction to WordPress - Adam W. Warner
Introduction to WordPress - Adam W. WarnerIntroduction to WordPress - Adam W. Warner
Introduction to WordPress - Adam W. WarnerAdam W. Warner
 
WP-CLI Presentation from WordCamp NYC 2015
WP-CLI Presentation from WordCamp NYC 2015WP-CLI Presentation from WordCamp NYC 2015
WP-CLI Presentation from WordCamp NYC 2015Shawn Hooper
 
20 tips, tricks and secrets to making your WordPress website look professional
20 tips, tricks and secrets tomaking your WordPress website look professional20 tips, tricks and secrets tomaking your WordPress website look professional
20 tips, tricks and secrets to making your WordPress website look professionalMichelle Castillo
 
WordPress.com の裏側 (Behind the Scenes of WordPress.com) - WordCamp Tokyo - Nov...
WordPress.com の裏側 (Behind the Scenes of WordPress.com) - WordCamp Tokyo - Nov...WordPress.com の裏側 (Behind the Scenes of WordPress.com) - WordCamp Tokyo - Nov...
WordPress.com の裏側 (Behind the Scenes of WordPress.com) - WordCamp Tokyo - Nov...John Ford
 
Getting started with WordPress
Getting started with WordPressGetting started with WordPress
Getting started with WordPressKristen Symonds
 
Introduction to WordPress
Introduction to WordPressIntroduction to WordPress
Introduction to WordPressEunus Hosen
 
WordPress for Business Sites - ConvergeSouth - October 2011
WordPress for Business Sites - ConvergeSouth - October 2011WordPress for Business Sites - ConvergeSouth - October 2011
WordPress for Business Sites - ConvergeSouth - October 2011John Ford
 
Roundup of popular & emerging blogging platforms
Roundup of popular & emerging blogging platformsRoundup of popular & emerging blogging platforms
Roundup of popular & emerging blogging platformsJoseph Jude
 

What's hot (10)

Assignment 2 word press digi skill
Assignment 2 word press digi skillAssignment 2 word press digi skill
Assignment 2 word press digi skill
 
Introduction to WordPress - Adam W. Warner
Introduction to WordPress - Adam W. WarnerIntroduction to WordPress - Adam W. Warner
Introduction to WordPress - Adam W. Warner
 
WP-CLI Presentation from WordCamp NYC 2015
WP-CLI Presentation from WordCamp NYC 2015WP-CLI Presentation from WordCamp NYC 2015
WP-CLI Presentation from WordCamp NYC 2015
 
20 tips, tricks and secrets to making your WordPress website look professional
20 tips, tricks and secrets tomaking your WordPress website look professional20 tips, tricks and secrets tomaking your WordPress website look professional
20 tips, tricks and secrets to making your WordPress website look professional
 
WordPress.com の裏側 (Behind the Scenes of WordPress.com) - WordCamp Tokyo - Nov...
WordPress.com の裏側 (Behind the Scenes of WordPress.com) - WordCamp Tokyo - Nov...WordPress.com の裏側 (Behind the Scenes of WordPress.com) - WordCamp Tokyo - Nov...
WordPress.com の裏側 (Behind the Scenes of WordPress.com) - WordCamp Tokyo - Nov...
 
Getting started with WordPress
Getting started with WordPressGetting started with WordPress
Getting started with WordPress
 
Introduction to WordPress
Introduction to WordPressIntroduction to WordPress
Introduction to WordPress
 
Website Creation Blueprint
Website Creation BlueprintWebsite Creation Blueprint
Website Creation Blueprint
 
WordPress for Business Sites - ConvergeSouth - October 2011
WordPress for Business Sites - ConvergeSouth - October 2011WordPress for Business Sites - ConvergeSouth - October 2011
WordPress for Business Sites - ConvergeSouth - October 2011
 
Roundup of popular & emerging blogging platforms
Roundup of popular & emerging blogging platformsRoundup of popular & emerging blogging platforms
Roundup of popular & emerging blogging platforms
 

Similar to コードの脆弱性の恐怖と対応

20 tips to Improving Your WordPress Site...for Beginners
20 tips to Improving Your WordPress Site...for Beginners20 tips to Improving Your WordPress Site...for Beginners
20 tips to Improving Your WordPress Site...for BeginnersTRB Design, Inc.
 
Vinay Paudel: Optimizing and Speeding up a WordPress site
Vinay Paudel: Optimizing and Speeding up a WordPress siteVinay Paudel: Optimizing and Speeding up a WordPress site
Vinay Paudel: Optimizing and Speeding up a WordPress sitewpnepal
 
Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Think Media Inc.
 
Broadstreet quickstart-mar11-1
Broadstreet quickstart-mar11-1Broadstreet quickstart-mar11-1
Broadstreet quickstart-mar11-1Mary Barr Mann
 
Real World Seaside Applications
Real World Seaside ApplicationsReal World Seaside Applications
Real World Seaside ApplicationsESUG
 
Battling the WSOD - A Tech Support Tale
Battling the WSOD - A Tech Support TaleBattling the WSOD - A Tech Support Tale
Battling the WSOD - A Tech Support TaleKayleigh Thorpe
 
Wordpress optimization
Wordpress optimizationWordpress optimization
Wordpress optimizationpaudelvinay
 
WordPress Security
WordPress SecurityWordPress Security
WordPress SecurityIvan Storck
 
WordPress Insider Meetup Group - Jan, 7, 2016 meeting
WordPress Insider Meetup Group - Jan, 7,  2016 meetingWordPress Insider Meetup Group - Jan, 7,  2016 meeting
WordPress Insider Meetup Group - Jan, 7, 2016 meetingMichelle Castillo
 
Dynamic Ad Refresh and Synching
Dynamic Ad Refresh and SynchingDynamic Ad Refresh and Synching
Dynamic Ad Refresh and Synchingwgamboa
 
Optimizing WordPress (WordCamp Philly 2011)
Optimizing WordPress (WordCamp Philly 2011)Optimizing WordPress (WordCamp Philly 2011)
Optimizing WordPress (WordCamp Philly 2011)Ben Metcalfe
 
Introduction to Django CMS
Introduction to Django CMS Introduction to Django CMS
Introduction to Django CMS Pim Van Heuven
 
Vagrant WordCamp Hamilton
Vagrant  WordCamp HamiltonVagrant  WordCamp Hamilton
Vagrant WordCamp HamiltonPaul Bearne
 
PoC Rendering Spreadshirt Product Images Using Cloudinary
PoC Rendering Spreadshirt Product Images Using CloudinaryPoC Rendering Spreadshirt Product Images Using Cloudinary
PoC Rendering Spreadshirt Product Images Using CloudinaryMartin Breest
 
Optimizing WordPress - WordPress SF Meetup April 2012
Optimizing WordPress -  WordPress SF Meetup April 2012Optimizing WordPress -  WordPress SF Meetup April 2012
Optimizing WordPress - WordPress SF Meetup April 2012Ben Metcalfe
 

Similar to コードの脆弱性の恐怖と対応 (20)

20 tips to Improving Your WordPress Site...for Beginners
20 tips to Improving Your WordPress Site...for Beginners20 tips to Improving Your WordPress Site...for Beginners
20 tips to Improving Your WordPress Site...for Beginners
 
Wordpress as a CMS
Wordpress as a CMSWordpress as a CMS
Wordpress as a CMS
 
Vinay Paudel: Optimizing and Speeding up a WordPress site
Vinay Paudel: Optimizing and Speeding up a WordPress siteVinay Paudel: Optimizing and Speeding up a WordPress site
Vinay Paudel: Optimizing and Speeding up a WordPress site
 
Setup and run wordpress: 201
Setup and run wordpress: 201Setup and run wordpress: 201
Setup and run wordpress: 201
 
Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013
 
Broadstreet quickstart-mar11-1
Broadstreet quickstart-mar11-1Broadstreet quickstart-mar11-1
Broadstreet quickstart-mar11-1
 
Real World Seaside Applications
Real World Seaside ApplicationsReal World Seaside Applications
Real World Seaside Applications
 
Seven deadly theming sins
Seven deadly theming sinsSeven deadly theming sins
Seven deadly theming sins
 
Battling the WSOD - A Tech Support Tale
Battling the WSOD - A Tech Support TaleBattling the WSOD - A Tech Support Tale
Battling the WSOD - A Tech Support Tale
 
WordPress by a Dummy
WordPress by a DummyWordPress by a Dummy
WordPress by a Dummy
 
Optimizing wp
Optimizing wpOptimizing wp
Optimizing wp
 
Wordpress optimization
Wordpress optimizationWordpress optimization
Wordpress optimization
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
 
WordPress Insider Meetup Group - Jan, 7, 2016 meeting
WordPress Insider Meetup Group - Jan, 7,  2016 meetingWordPress Insider Meetup Group - Jan, 7,  2016 meeting
WordPress Insider Meetup Group - Jan, 7, 2016 meeting
 
Dynamic Ad Refresh and Synching
Dynamic Ad Refresh and SynchingDynamic Ad Refresh and Synching
Dynamic Ad Refresh and Synching
 
Optimizing WordPress (WordCamp Philly 2011)
Optimizing WordPress (WordCamp Philly 2011)Optimizing WordPress (WordCamp Philly 2011)
Optimizing WordPress (WordCamp Philly 2011)
 
Introduction to Django CMS
Introduction to Django CMS Introduction to Django CMS
Introduction to Django CMS
 
Vagrant WordCamp Hamilton
Vagrant  WordCamp HamiltonVagrant  WordCamp Hamilton
Vagrant WordCamp Hamilton
 
PoC Rendering Spreadshirt Product Images Using Cloudinary
PoC Rendering Spreadshirt Product Images Using CloudinaryPoC Rendering Spreadshirt Product Images Using Cloudinary
PoC Rendering Spreadshirt Product Images Using Cloudinary
 
Optimizing WordPress - WordPress SF Meetup April 2012
Optimizing WordPress -  WordPress SF Meetup April 2012Optimizing WordPress -  WordPress SF Meetup April 2012
Optimizing WordPress - WordPress SF Meetup April 2012
 

Recently uploaded

Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 

Recently uploaded (20)

201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 

コードの脆弱性の恐怖と対応

  • 2. timthumb.php chrome google timthumb.php
  • 3. WordPress wp-config.php Cleaning Up the TimThumb Hack | WP Theming
  • 4. “wordpress.org” ■ WordPress › Support » Google issuing warnings about WP site: “content ■ from counter-wordpress.com”? ■ WordPress › Support » [TimThumb Vulnerability] iframe hack ”timthumb.php” ■ timthumb – image crop zoom resize management – Google Project Hosting ■ WPZOOM Support Forum – View topic – [Updated] IMPORTANT Security Fix
  • 5. Make sure this constant is set to false: define( 'ALLOW_EXTERNAL', false ); Before: $allowedSites = array ( ! 'flickr.com', ! 'picasa.com', ! 'img.youtube.com', ! 'upload.wikimedia.org', ); After: $allowedSites = array(); Theme and plugin authors should use the built-in WordPress functions such asadd_image_size to resize images. Vulnerability Found in timthumb.php | VaultPress Blog 
  • 6. ◦ • • grep • ◦ JPCERT Adobe Reader Acrobat https://www.jpcert.or.jp/at/2012/at120003.html ◦ JPCERT/CC • •

Editor's Notes

  1. \n
  2. \n
  3. \n
  4. \n
  5. \n
  6. \n
  7. \n
  8. \n