Hej!
Our installation and our plugins are all up to date.
The problem is the haybase-plugin which we installed to use the blue Dutch WLM skin. It contains a file called timthumb.php with the following code:
// external domains that are allowed to be displayed on your website $allowedSites = array ( 'flickr.com', 'picasa.com', 'blogger.com', 'wordpress.com', 'img.youtube.com', 'upload.wikimedia.org', );
[...]
foreach ($allowedSites as $site) { if (strpos (strtolower ($url_info['host']), $site) !== false) { $isAllowedSite = true; } }
And the check there is stupid. It just checks if an external url contains flickr.com, not if the url is actually flickr.com. Using this, manipulated gif images were downloaded from http://flickr.com.aseana.com.my/xc0de.php and ended up in the cache folder for scaled images where it later was executed as php files.
It seems only the index.php was replaced and another text file was added.
As we switched to Elyas red skin last weekend I just removed the old WMNL skin and the haybase plugin.
Regards, Holger