TimThumb Security Vulnerability – Common in WordPress Themes
TimThumb, an image resizing script commonly used in WordPress themes (especially paid ones), is being exploited through a zero day vulnerability. If you think your WordPress theme may use the TimThumb script, please pay attention.
The easiest way to fix it would be to delete any instance of
timthumb.php on your sites. It is also commonly named
thumb.php (this is what WooThemes uses). I’d imagine this also applies to inactive themes.
As outlined in the previously linked post on Mark Maunder’s blog, the next best quick fix would be to remove all the “Allowed Sites” in the array.
$allowedSites = array ( 'flickr.com', 'picasa.com', 'img.youtube.com', 'upload.wikimedia.org', );
$allowedSites = array();
Also make sure the following constant is set to false, otherwise removing the “allowed sites” won’t really matter, since every site would be allowed if it wasn’t:
define( 'ALLOW_EXTERNAL', false );
What’s the big deal?
You might be thinking, “lolz, Flickr or Wikipedia is gonna hack my site? Yeah right!” Wrong.
The problem is
flickr.com.lamehackersite.info would be just as “allowed” as
flickr.com, which is where the real vulnerability lies.
Theme Providers that Use TimThumb
Some WordPress theme providers that bundle TimThumb in their themes to resize images include WooThemes and ElegantThemes, two very popular commercial theme vendors that have tons of sites using themes with the vulnerable TimThumb script.
As far as WooThemes goes, it appears they’re aware of the issue according to the following tweet:
To address the timthumb issue, we have a post and fixes coming very soon. ^RR
Let’s not forget theme marketplaces (*cough* ThemeForest *cough*) where countless authors have produced countless themes used on countless sites, a lot of which probably use the TimThumb script. I’d imagine this would be a much messier situation than with a single vendor.
Theme Lab Themes
In the name of transparency, there are three themes on Theme Lab that use the TimThumb script. They have been updated to the latest version (with allowed sites removed).
If you use any of these themes, please update the
/scripts/timthumb.php file ASAP. This advice can also apply to any other theme that uses the timthumb script, obviously.
Why only three? Because I discovered a better way to include thumbnail functionality in WordPress themes.
WordPress has a great, built-in API for resizing images that can effectively replace the need for timthumb on WordPress sites. It’s called add_image_size.
This feature has been built into WordPress since version 2.9, which was released on December 19, 2009 (well over a year and a half ago).
Mark Jaquith posted a great tutorial on including this feature in your themes, so I can’t think of many other excuses for not including this in new themes.
A Note on the TimThumb Developer
I noticed that the TimThumb developer, Ben Gillbanks, was getting directly and indirectly “bashed” pretty hard in the comments of the original vulnerability post.
Yes, it turns out the TimThumb script isn’t the most secure script in the world, but at least the developer is sticking around and supporting it for free.
I believe the script was released with nothing but the best intentions, and to see this “bashing” take place against someone who is doing all he can to help the situation is a bit bewildering, to say the least.
Over the years I’ve seen him respond to lots of TimThumb support requests on Twitter, something he’s certainly not obligated to do for a free script, but he does it anyway.
After all the profit that’s been made from the script (like commercial themes using it to make sure their fancy Jquery slider images are resized nicely) you’d think you’d see a little gratitude, but what else is new?
Obviously this is a pretty messy situation, a lot of users probably won’t have any idea they’re vulnerable until they’re hacked. It’s important to understand how widely used this script has been bundled with WordPress themes over the years.
Jayvie has also posted his thoughts on the issue in his post titled Timthumb zero day vulnerability: time to get back to basics.
What do you have to say about it? Let me know in the comments.