WordPress Security Alert – TimThumb Image Resizing Script

WordPress Security Issue wIth Timthumb

In recent days a significant WordPress security threat has emerged. The root of it is the ability for unsavory types to compromise a very common image resizing script called TimThumb which is used in many WordPress themes and plugins. Through a security flaw, hackers can find a way into your site and cause havoc. Or, in more specific terms according to Vaultpress:

“The vulnerability allows third parties to upload and execute arbitrary PHP code in the TimThumb cache directory. Once the PHP code has been uploaded and executed, your site can be compromised however the attacker likes.”

Are you at risk?

The list of themes and plugins that use this script is too long for any one source to have catalog-ed as yet. Securi has a partial list here. In my own researching I’ve found several major theme vendors to be vulnerable (WooThemes, Themify.me, Headway) although they have acted quickly to update their themes.  WebSite defender has a list of plugins and themes they know to be using timthumb.

If your theme uses multiple sizes of the same image in different parts of your site, such as thumbnails,based on one image you’ve uploaded into a post or as a featured image, it could be using the timthumb script to generate the other sizes.

If you’re using a plugin that generates different image sizes, for use in, for example a list of recent posts with a thumbnail image – this plugin could be using timthumb.

How to check if your theme uses TimThumb

1) The easy, but not foolproof way

In your WordPress admin, go to the Appearance menu and click on Editor. Look in the list on the right for a file called either timthumb.php or thumb.php – this is generally what most themes call this file. This will let you know if your current, active theme uses timthumb. However, if you have other themes installed, but are not active, you will have to select those from the drop-down menu and check them one-by-one.

It is entirely possible a theme creator is using the script but just named the file something else such as img.php, thumbnail.php etc. So to be sure, you can open any file you come across that you suspect may have something to do with image resizing, and at the top you may see something like this:
TimThumb script created by Ben Gillbanks, originally created by Tim McDaniels and Darren Hoyt

This lets you know that it’s the same timthumb script, regardless of the filename and so the fix still needs to be applied.

2) The super-novice way

Another way you can check is to right click on an image on your site (one that you think could be being automatically generated by a theme or plugin). Copy the image url into a text doc or your broswer and look at the whole thing. Do you see something like this in the url:

thumb.php?src=

or

timthumb.php?src=

click image below for full size:
timthumb security flaw wordpress
If so, that means your theme is using the script to resize that image and you must take the security steps below.

3) The only way to know for sure

Additionally there are cases where a theme could include the script in a subfolder which would NOT show up in the WordPress theme editor. For example, in the Headway Theme, they named the file thumbnail.php and it’s about 2 subfolders deep so you only see it via FTP. Fortunately they issued an update to the theme in the past few days which addresses the issue.

So the only way to know for sure is to thoroughly review your theme files using the FTP File Manager in your hosting account, or an FTP program.

What should you do if your site is at risk?

1) Check if your theme provider has handled the issue.

If your theme has issued an update in the past few days it could well be to take care of this issue – check the details of the update and if it’s related then update your theme immediately. Visit the website of your theme vendor and check their blog and support forums for information on the topic. If in doubt, send them an email. WPMU has a note on some of the major theme shops and how they have handled the issue.

A note about Thesis – this popular theme does use a version of the TimThumb script but it does NOT include the ability to use images from external sites (which is where the security flaw is), so unless you’ve hacked this script yourself, Thesis users should be fine.

I noticed that themes from Themify.me are vulnerable and they have issued updates to their themes, but the strange thing is that they don’t seem to push the update to the user by way of a notification – you actually have to check your version of the theme with their website to see if you have the latest, and then go and download and re-install the newly updated theme – not very convenient.

2) Fix It Yourself

An updated and secure version of TimThumb has been released so you can fix the issue yourself by replacing the old version in your theme with the new code. You can download the newly updated version here:
http://code.google.com/p/timthumb/

If you are using the WordPress editor and have located the old version of timthumb there, you can simply copy the code from the new file above and replace everything in the old file.  You can also do this via FTP if you know how to use it.

For extra security make sure that the line of code allowing access to external images is set to false, not true. It should look like this:

define( 'ALLOW_EXTERNAL', false );

Secondly look for this code:

$allowedSites = array(
'flickr.com',
'picasa.com',
'img.youtube.com',
);

Replace it with this code:

$allowedSites = array();

3) Clean up your site
If you have old themes that you’re not using sitting on your server that may be using the script, you should either update them all or just delete them.

If you need help locating or fixing a vulnerability please let me know.

 

** header image courtesy: http://www.flickr.com/photos/mamchenkov/302301657/

Weekly WordPress Tips To Your Inbox

  • This field is for validation purposes and should be left unchanged.

This Post Has One Comment

  1. Chris Raymond

    You should know that if you wish to show your Flickr stream on your blog, you can't disallow external sites, and MUST include Flickr in the array of allowed sites.

Leave a Reply

Your email address will not be published. Required fields are marked *