Vulnerability Found in timthumb.php

Yesterday we learned of a vulnerability in a popular image resizing library called TimThumb, which is used in many WordPress themes and plugins. The vulnerability was first reported by Mark Maunder in a post on his blog, and has been confirmed by the author of TimThumb.

The vulnerability allows third parties to upload and execute arbitrary PHP code in the TimThumb cache directory. Once the PHP code has been uploaded and executed, your site can be compromised however the attacker likes.

We recommend deleting timthumb.php or thumb.php if your site will work without them. If the file exists in a theme or plugin that you’re no longer using you may want to remove the entire theme or plugin directory. After you remove the TimThumb library make sure you check that your site is still working correctly.

If you must use TimThumb please make sure to update the file with the latest version and remember to check the TimThumb site regularly for updates. You should also set ALLOW_EXTERNAL to false and find the $allowedSites array inside the file and remove the domain names to prevent remote file downloading.

Make sure this constant is set to false:

define( 'ALLOW_EXTERNAL', false );

Before:

$allowedSites = array (
	'flickr.com',
	'picasa.com',
	'img.youtube.com',
	'upload.wikimedia.org',
);

After:

$allowedSites = array();

Theme and plugin authors should use the built-in WordPress functions such as add_image_size to resize images.

We are sending out emails to all VaultPress customers who have TimThumb installed on their site. Customers can contact the VaultPress Safekeepers directly for help from the VaultPress dashboard.

About John Ford

@farmstandapp co-founder, @studioboro co-founder, compulsive traveler, lover of healthy living. I'm making things I love.
This entry was posted in Announcements, Security and tagged . Bookmark the permalink.

44 Responses to Vulnerability Found in timthumb.php

  1. Pingback: Security Notice: Timthumb | Page.ly Blog

  2. Useful information. My site relies on TimThumb, so I will definitely make the suggested modifcations.

  3. It would be nice if we could use add_image_size in the same fashion, but that only impacts images uploaded after the fact… with the dynamic resizing we can set the sizes at any time….

    • That’s where a plugin like “Regenerate Thumbnails” comes in really handy. I honestly can’t really see any efficient way for WordPress to try to dynamically regenerate the thumbnails every time a plugin or theme registers a new image size, unfortunately. The add_image_size() function is called every time a page is loaded (WordPress doesn’t catalog the registered image sizes anywhere), so WP would basically need to have some way to scan all uploads directories for all images and attempt to resize any that don’t have all of the appropriate image sizes every single time a page (in the Admin area or on the website itself) is loaded. That would cause dramatic slowdowns and would really tax server resources.

      Regenerate Thumbnails simply requires you to click a button to regenerate all images. It’d be kind of nice if WordPress would include at least that functionality in the core, though.

      • Ryan O'Meara says:

        Wow. Have been looking for a solution like this for ages. Timthumb is really resource intensive and this plugin seems to do everything I need. Thank you!

    • I’ve just spent some time modifying a site to remove TimThumb, including writing a very dirty plugin to assign Featured Images to some 1,000 odd historical posts. I might be able to help you if you’re interested…

  4. Thank you for the email notification of the vulnerability.

  5. Troy Dean says:

    Thank you for the email notification of the vulnerability. Keep up the great work guys!

  6. Pingback: TimThumb Vulnerability « Meganet Central Industrial

  7. Andy says:

    Thank you for the notification. Update made and now I will sleep better at night ;-) Thanks VaultPress!

  8. Pingback: Timthumb Vulnerability + Security Update- Elegant Themes Blog

  9. Dan Rollins says:

    Thanks for the notice… instead of deleting, could I rename the file to something else in the event it fixes itself and I can revert back to the original name?

    • John Ford says:

      It’s best to remove the file from your server or update the code within the file so you don’t chance the file being executed somehow. The file definitely needs to be updated if you plan on keeping it on your server.

  10. Pingback: Vulnerability Found in the TimThumb script | CodeGround

  11. Mezanul says:

    Thanks a lot for the timely notification via email. I have replaced the file and have made the necessary changes.

  12. Pingback: Timthumb.php security flaw makes hacking your WordPress site simple ~ ferguskelly.net

  13. Ben Moffett says:

    You Rock for letting us know this…but you probably already know that.

  14. Pingback: Security issue with timthumb.php | WP Engine System Status

  15. Pingback: Security Update for Modularity, Photo Workshop, Widescreen WordPress Themes | Graph Paper Press

  16. Pingback: TimThumb security vulnerability discovered, affects many WordPress themes | WPCandy

  17. Pingback: How to Fix TimThumb.php WordPress Theme Security Flaw | Wordpress Multisite Blogs Help Tips | Behind the Scenes

  18. Pingback: TimThumb Security Vulnerability « Weblog Tools Collection

  19. Pingback: פירצת אבטחה בהרבה מהתבניות בוורדפרס « מסעותיו של מרק בשבילי החיים

  20. Pingback: 712 Fewer Vulnerable TimThumb Scripts in Existence | VaultPress Blog

  21. Pingback: TimThumb shoots, VaultPress saves! | sennza

  22. Pingback: Timthumb Vulnerability | Wordpress Style

  23. Pingback: Tim Thumb vulnerability » K4 Media Web Design, Phnom Penh, Cambodia

  24. Aarav says:

    Just had a look at my blog theme and found out that its vulnerable too. Thanks for this post listing. I’m trying out the modifications you advised. My blog was hacked last month and recovering it from backup was a pain. Thanks once again!

  25. Pingback: TimThumb security vulnerability discovered: Affects many WordPress themes | TechBlog Central

  26. Pingback: The TimThumb Saga — Matt Mullenweg

  27. Chris says:

    TimThumb has always bothered me so I use Jarrod Oberto’s excellent image resizer code in this tutorial http://net.tutsplus.com/tutorials/php/image-resizing-made-easy-with-php/

  28. Pingback: How to fix Timthumb security issue?

  29. Pingback: Vulnerability Wordpress Thumb.php | Beta.my

  30. Pingback: Falha de segurança no Timthumb - BDI BBS

  31. Karen says:

    On behalf of my clients, thank you for this info on TimThumb. You just prevented some sleepless nights for me! You rock.

  32. Pingback: TimThumb, Heroism and FUD

  33. Pingback: How To Use timthumb.php with Multisites | WP Code Snippets

  34. Movies says:

    I have just started a new WordPress blog using timthumb v2.8.2, allowing external sites to true but only with my sub domain because I upload my images to my sub domain. Is it secure for me or should I go with WP add_image_size considering long term security and compatibility. Thanks in advance If anyone answers the question.

  35. Pingback: 6 Essential Practices To Keep WordPress Secure | Wordpress Jedi

  36. John Galt says:

    I replaced the file and had no problems what so ever. Thanks for the update

  37. Singapore Web Design Company says:

    Just had a look at my blog theme and found out that its vulnerable too. Thanks for this post listing. I’m trying out the modifications you advised.

  38. Pingback: Dynamically Resize WordPress Images On-the-Fly | SeedProd

  39. Pingback: Is jouw WordPress installatie in gevaar door timthumb? | WPspecialist

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s