ThemeLab's Blog

Stay up to date with our newest WordPress themes, WordPress plugins, WordPress tutorials, and other announcements.

TimThumb Security Vulnerability – Common in WordPress Themes

Last Updated on by

TimThumb, an image resizing script commonly used in WordPress themes (especially paid ones), is being exploited through a zero day vulnerability. If you think your WordPress theme may use the TimThumb script, please pay attention.

Quick Fix

The easiest way to fix it would be to delete any instance of timthumb.php on your sites. It is also commonly named thumb.php (this is what WooThemes uses). I’d imagine this also applies to inactive themes.

As outlined in the previously linked post on Mark Maunder’s blog, the next best quick fix would be to remove all the “Allowed Sites” in the array.

Before:

$allowedSites = array (
	'flickr.com',
	'picasa.com',
	'img.youtube.com',
	'upload.wikimedia.org',
);

Change to:

$allowedSites = array();

Also make sure the following constant is set to false, otherwise removing the “allowed sites” won’t really matter, since every site would be allowed if it wasn’t:

define( 'ALLOW_EXTERNAL', false );

What’s the big deal?

You might be thinking, “lolz, Flickr or Wikipedia is gonna hack my site? Yeah right!” Wrong.

The problem is flickr.com.lamehackersite.info would be just as “allowed” as flickr.com, which is where the real vulnerability lies.

Theme Providers that Use TimThumb

Some WordPress theme providers that bundle TimThumb in their themes to resize images include WooThemes and ElegantThemes, two very popular commercial theme vendors that have tons of sites using themes with the vulnerable TimThumb script.

As far as WooThemes goes, it appears they’re aware of the issue according to the following tweet:

To address the timthumb issue, we have a post and fixes coming very soon. :) ^RRless than a minute ago via CoTweet Favorite Retweet Reply

Let’s not forget theme marketplaces (*cough* ThemeForest *cough*) where countless authors have produced countless themes used on countless sites, a lot of which probably use the TimThumb script. I’d imagine this would be a much messier situation than with a single vendor.

Theme Lab Themes

In the name of transparency, there are three themes on Theme Lab that use the TimThumb script. They have been updated to the latest version (with allowed sites removed).

If you use any of these themes, please update the /scripts/timthumb.php file ASAP. This advice can also apply to any other theme that uses the timthumb script, obviously.

Why only three? Because I discovered a better way to include thumbnail functionality in WordPress themes.

Use add_image_size Please!

WordPress has a great, built-in API for resizing images that can effectively replace the need for timthumb on WordPress sites. It’s called add_image_size.

For some live examples on how to use this in your own themes, check out the Green Tea, Cool Blue, or SongSpace themes here at Theme Lab.

This feature has been built into WordPress since version 2.9, which was released on December 19, 2009 (well over a year and a half ago).

Mark Jaquith posted a great tutorial on including this feature in your themes, so I can’t think of many other excuses for not including this in new themes.

A Note on the TimThumb Developer

I noticed that the TimThumb developer, Ben Gillbanks, was getting directly and indirectly “bashed” pretty hard in the comments of the original vulnerability post.

Yes, it turns out the TimThumb script isn’t the most secure script in the world, but at least the developer is sticking around and supporting it for free.

I believe the script was released with nothing but the best intentions, and to see this “bashing” take place against someone who is doing all he can to help the situation is a bit bewildering, to say the least.

Over the years I’ve seen him respond to lots of TimThumb support requests on Twitter, something he’s certainly not obligated to do for a free script, but he does it anyway.

After all the profit that’s been made from the script (like commercial themes using it to make sure their fancy Jquery slider images are resized nicely) you’d think you’d see a little gratitude, but what else is new?

Conclusion

Obviously this is a pretty messy situation, a lot of users probably won’t have any idea they’re vulnerable until they’re hacked. It’s important to understand how widely used this script has been bundled with WordPress themes over the years.

Jayvie has also posted his thoughts on the issue in his post titled Timthumb zero day vulnerability: time to get back to basics.

What do you have to say about it? Let me know in the comments.

About

Leland Fiegel was the original founder of ThemeLab. He is a web developer who loves WordPress and blogging.

  • http://www.darrenhoyt.com/ Darren Hoyt

    Big thanks to Ben for maintaining this script and getting on top of addressing those vulnerabilities. Like Leland said, it’s been a free script for years that a lot of folks have used to sell premium themes, though we also understand that a lot about the WP core has changed, too, since TimThumb was written in 2007. I don’t think Tim or Ben or myself ever thought it would be as ubiquitous in the WordPress world as it’s been since then and admittedly it’s not our highest priority, but I appreciate the community embracing it and pointing out things that can improve it.

    • Leland

      Hey Darren, thanks for stopping by and sharing your thoughts about this.

      Definitely interesting to hear from one of the original creators of the timthumb script.

  • http://twitter.com/tomlambie Tom

    Thanks for this – a very well known script used widely by many themes/ websites

    • Leland

      Yep, hopefully they’ll get the message and update their scripts.

  • http://bryanveloso.com/ Bryan Veloso

    Oh great. Some of my themes are using timthumb as well. Now it’s time to update to make my themes more secure.

    • Leland

      Yep, as far as a quick fix you can just include the latest timthumb script without the allowed sites.

      If you have more time, maybe utilize the add_image_size so it takes advantage of WordPress’ APIs.

  • http://www.davcomedia.co.uk Ian Davies

    Many thanks for the warning.

    Elegant Themes have issued details about the issue too.

  • http://andreasnurbo.com Andreas Nurbo

    These sort of bundled scripts is one big reason to have built in update capability to the themes you release.
    If you can’t reach the users of your stuff then you are jeopardizing their security and your own reputation.
    Personally I can’t understand why WooThemes hasn’t integrated the automatic update. They could use it.

    • Leland

      Hey Andreas, definitely a good point about having a built-in update capability.

      You could say the same thing about the framework->child theme model so you can safely upgrade the “core” theme without sacrificing any of your modifications (done in the child theme).

  • http://wpcanada.ca/ Len

    I noticed that the TimThumb developer, Ben Gillbanks, was getting directly and indirectly “bashed” pretty hard in the comments of the original vulnerability post.

    Yeah, and there is no call for that. Ben has given so much of himself to the WordPress community. A vulnerability was discovered and was quickly fixed.

    Non-coders don’t seem to understand the complexities involved in writing code. You think you have a solid airtight snippet and then comes along some hacker with way too much time on his hands poking and prodding until he finds something.

    Those of us who are active in the WordPress community know of Ben’s tireless contributions.

    • http://wpcanada.ca/ Len

      Hmmm, I meant for the 1st paragraph in my comment above to be wrapped in blockquote tags. For some reason they were stripped out. It was supposed to indicate me quoting from your post but now looks like I am plagiarising your post. :)

      • Leland

        They weren’t stripped, just didn’t have any blockquote styles for comments until now. :)

        Also couldn’t agree more with your comment. It really bothered me how someone who has contributed so much was just getting ripped to shreds because of this.

  • http://www.lumieredelune.com Marie-Aude

    One of the other issues with TimThumb is that it requires a chmod 777 to properly function. I never felt confident with that.

    • Leland

      I think that’s one of the reasons why Mark Maunder described TimThumb as “inherently insecure.”