TimThumb security vulnerability discovered, affects many WordPress themes

47 Comments

Over the weekend a vulnerability was discovered in the TimThumb image resizing script. On Monday Mark Maunder, the CEO of Feedjit and the one who originally discovered the issue, blogged about his site becoming compromised and how he discovered TimThumb was the weakness that allowed it to happen. Since that blog post the issue has been confirmed by TimThumb’s creator and patches have been published in an attempt to fix the problem.

TimThumb is a script primarily used for on-the-fly resizing and cropping of images, though another feature allows images from remote websites to be fetched and cropped as well, storing them on the server. The list of allowed remote websites is listed within the plugin, and checked against any fetched files.

As John Ford explained on the VaultPress blog, TimThumb’s vulnerability “allows third parties to upload and execute arbitrary PHP code in the TimThumb cache directory.” This file would allow the attacker to further compromise the site in any way. VaultPress further recommended deleting the TimThumb file from any sites that don’t explicitly require them, and updating it in cases where they do. Ford also recommended using the built-in WordPress functions such as add_image_size to resize images, avoiding TimThumb entirely.

Sucuri Security’s David Dede echoed Ford’s statement, saying “if theme/plugin authors were properly leveraging add_image_size vs. adding TimThumb they would be in a safer position today.”

Sucuri also provided a list of a few dozen themes within the WordPress.org theme directory that are using the TimThumb script in some way. According to a chat in the wordpress-dev IRC channel yesterday, TimThumb may be explicitly restricted via the theme review guidelines soon. Authors of any compromised themes were going to be contacted, and if necessary, their themes updated by the team at WordPress.org.

TimThumb can be used in any PHP environment, on any content management system, though it is known for being extremely popular in commercial WordPress themes. As the news has spread this week a number of WordPress theme shops have responded.

WooThemes published instructions for updating the TimThumb scripts within their themes. Their themes were updated, though version numbers weren’t bumped. Graph Paper Press, ThemeShift, and ThemeLab have updated the versions of TimThumb within their themes as well. Elegant Themes has published updates to their themes to remove TimThumb from them entirely.

TimThumb was originally developed by a friend of Darren Hoyt’s name Tim, though development is currently run by WordPress developer Ben Gillbanks. Since the news of the vulnerability he has been working to update it via its Google Code Project.

Security issues are never fun. Have you used TimThumb in a client’s project, or used it within a theme of your own? Have you spent any time this week updating sites to repair this vulnerability?

47 thoughts on “TimThumb security vulnerability discovered, affects many WordPress themes

      • Yup, older versions of thesis theme used Timthumb. Being a wordrpess theme developer, I had to strip those timthumb functions from the client’s website and replaced it with our own image generating function rtp_generate_thumbs(), which is a part of an awesome theme framework, rtpanel

  1. Whenever I read comments such as those by John Ford that developers should use the built in WP API there’s never any examples to back it up. In my experience (and I’m happy to be proven wrong) the in-built functions in WP only apply to the standard use-case (where images are displayed from a standard blog post) – but some websites need the ability to resize images on the fly, either because of many different variations in size or more likely because images are taken from those embedded in a page – more typical of a buddypress or MU environment. We don’t all use WP for blogging…

    Could you either avoid perpetrating the illusion of WP’s infinite dexterity or illustrate such claims with a few examples, as I imagine anyone new to WP must be thoroughly confused… ;)

    • Mark Jaquith has a nice post from back at 2.9 that goes over a number of ways to use the built-in functions. I’ve used his examples to have a number of thumbnail sizes that, for my own use cases (dating back to freelance client work), has never fallen short of what I wanted to achieve.

      I read Ford’s and Dede’s comments to be more about the relative safety of functions, more than the functionality itself. Any time something foreign or third party is introduced, you have to weight the cost/benefit of what you’re getting.

      • Thanks Ryan, I was aware of post_thumbnails but haven’t used them in most of our sites because it depends on creating these images at the time they are ‘originally’ uploaded.

        In all due respect to those developers who claim to have a robust solution (without using timthumb), in the 14 comments on this post so far nobody has actually said *how* they perform dynamic image resizing – all I ever hear is “..I’ve got a solution…” without seeing any concrete examples.

        I can appreciate that some of the commenters are commercial theme developers who’d like to reserve a little bit of IP that differentiates their themes from competitor offerings, but this ‘issue’ is so widespread that it surely transcends the boundaries of commercial gain.

        Dont take the criticism personally, I’m just curious as to why I’ve never come across a tutorial or discussion which explores the topic of dynamic image resizing using WP core functionality…

          • As I said I am well aware of how post_thumbnails work and the availability of the ‘Regenerate Thumbnails’ plugin – none of these answer the point I raised.

            Many developers have concluded that a dynamic real-time script such as timthumb offers the best solution (myself included) – even Mark Jaquith’s tutorial acknowledges that being able to resize on the fly would be a useful feature to ‘add’ to the inbuilt post_thumbnail function.

            It still seems that most people advocating a pure-WP solution are assuming a linear publishing model and fail to understand the wider usage of WordPress as a CMS platform..

          • Just to add to the comment about Mark Jaquith talking about being able to dynamically resize images. He did actually contact me over a year ago to talk about TimThumb and how similar technologies could be used in WordPress, however it seems nothing ever came of it.

  2. There are many limitations with using add_image_size as this feature is only for Post Thumbnails. We use TimThumb on our themes as it can re-size on the fly any image to any dimension, also if you need to add more than 1 featured image per post you can run into a problem there as well using the native resizer.

    We like the idea of using the WordPress native resizer but because of the limitations we cannot for our themes.

    It would be great if the features that TimThumb is capable of could be brought over to WordPress Core.

  3. I agree with @Adam about that.
    The add_image_size has many limitations as he wrote. More than that, using it will increase storage size in many cases, since add_image_size will crop any image that is being uploaded to the media library to all sizes, which in many cases is not needed.
    TimThumb is a very important and useful script, I hope that the fixes to the script are now minimizing risks of vulnerability.
    Thanks for your post.

  4. WP has everything you need to resize images and not to be slowed down by TimThumb. If you use WP functions for this as they are intended, you can do pretty much anything with image resizing and even save some server processing time since you will not need to use TimThumb that for each displayed image needs to use PHP to get it from cache or resize it on the fly.

    My xScape Theme Framework has full support for WP resizing and image manipulation built in, and it works great. TimThumb is not needed and shouldn’t be use at all. I know that is easier to use it that to write a bit more code that uses WP nativ image support, but trust me, it’s worth it.

    • Yeah, I’m guessing developers that “need” TimThumb just don’t understand all the cool image features WP has added in the past few versions. Maybe a tutorial is in order??

      • - How would you avoid creating each uploaded image in all image_sizes, if not needed? There might be images that you won’t need in all sizes, in a site that has a lot of images, it can really increase storage with for actual need.
        – How would you create sizes of images that needed to be created *after* an image already been uploaded to the library?

        Please give concrete example, if you believe WP has “everything” that needed for every scenario that could be. WP is great and has a lot inside, yet it’s not perfect. No CMS is.

  5. To my knowledge, the_post_thumbnail() can resize images on the fly If you pass the size as an argument inside the_post_thumbnails() rather than using a preset image size using add_image_size(). Please correct me if I’m wrong there. The only thing I know it doesn’t offer is a way to crop from the top of the image (rather than the center) and to sharpen images that are resized. In my opinion, adding those two options would be extremely useful.

    Off topic but related: One plugin that I use A LOT for adding multiple post images is the Multiple Post Thumbnails plugin which gives developers a simple way to add support for extra post images when you require different images for different uses.

    • That’s very interesting to hear – I will have to read up on that as it could solve many things.

      As far as I was aware the_post_thumbnail allows you to request any size and then sends you back an image element containing a larger image with width and height set to your specified sizes. Perhaps I misunderstood though and will need to read up on things to see for sure.

      • If you take a look here:

        http://core.trac.wordpress.org/browser/tags/3.2.1/wp-includes/media.php

        There are quite a few interesting WP functions for image handling. If you take a look at line 406 of that file, you’ll see there is a function called image_resize() which essentially replaces Timthumb’s image script. Here’s a snippet:

        * Scale down an image to fit a particular size and save a new copy of the image.
        *
        * The PNG transparency will be preserved using the function, as well as the
        * image type. If the file going in is PNG, then the resized image is going to
        * be PNG. The only supported image types are PNG, GIF, and JPEG.
        *
        * Some functionality requires API to exist, so some PHP version may lose out
        * support. This is not the fault of WordPress (where functionality is
        * downgraded, not actual defects), but of your PHP version.

        image_resize( $file, $max_w, $max_h, $crop = false, $suffix = null, $dest_path = null, $jpeg_quality = 90 )

  6. I have had a client site get hacked, and as a designer (and not a code developer) I had no idea where to begin. The client called with the dreaded phone call intro… “uh, hey, can you take a look at my site… it’s not loading…”. I investigated, confirmed it was down, then tried to make heads or tails of where to begin. It felt like the house had burned down… all the women and children were freaking out and the men where left with hats in hands, unsure what to do. The damage was done.

    It took me a while to get the site back online, but it was akin to having to do my own arson investigation to realize a tiny, yet very serious wiring problem in one small appliance had a vulnerability. It was difficult to crack the case with no knowledge of this kind. But I had to do it so we wouldn’t rebuild the house and unknowlingly repeat the same mistake.

    After this incident I’m still not a developer, but I know a few tricks more than I did before regarding backing up, exporting and restoring a WP site. Yet I still dread vulnerability stories like this one.

    Concluding thought:
    Rather than reading (the few) comments on here where people argue about the differences between wiring versus architecture, what would be a great benefit to this community would be perhaps some links to posts on how to improve ones overall understanding of WP security. I tip my hat bigtime to those of you who code for a living, but I do not have the time to spend to learn to hardcore code like you guys do. I am very interested here in WP security (for the non-developer). It could be like teaching fire safety to kids and their parents in the hopes that the educational benefit will help prevent fire.

    So Ryan, when will the WP Security series begin here at WP candy? It could start out as random articles, but over time perhaps as a body of posts could be organized into an ordered list of posts. I think there is a lot of potential here for attracting more people to this site (and the possible related benefaction). I would rather something like that than some of the alternatives, which can feel slimy. IE: someone offering to sell bottles of water to the devastated women and children standing next to their burned out house.

    This is just an idea, and as George Carlin (RIP) said “I got a lot of good ideas. Problem is, most of ‘em suck.”

  7. I’m amazed that so many commercial theme companies included TimThumb without doing any sort of security audit on the code they were including. It seems like these issues could have been caught a long time ago and brought to the developers attention.

  8. Pingback: TimThumb, security, and the future of Portfolio Slideshow Pro - Raygun

  9. Pingback: New Stuff: 14 Themes, 9 Bits of News, 4 Coupons, 1 Giveaway and a Partridge in a Pear Tree | ThemeSorter Blog

  10. Pingback: TimThumb vulnerability? | AppThemes Forum

  11. Since timthumb.php can be included under different names, which string should I look for in *.php files to sweep a whole server for timthumb based scripts?!

    Moveover, any links on how to fix this vulnerability by directly editing timthumb.php?

    Thanks!

  12. Pingback: Web Downtime – Cause: Timthumb Vulnerability Scanning | Oikos

  13. It would be nice if we could use add_image_size in the same fashion, but that only impacts images uploaded after the fact… with the dynamic resizing we can set the sizes at any time….

  14. Yeah I just found out my server has been compromised. After further investigations, it was found that attackers got in through timthumb and took control of my server. Which resulted in hugeee bandwidth usage..3200GB in one day. There must be a way to secure it, I don’t know but my theme uses it.

  15. Pingback: True story: How website clutter can get your site hacked » ClickWP

  16. Pingback: 6 Wordpress Security Tips to Help You Sleep at Night | lukaspleva.com

  17. Pingback: Wordpress Users Beware | Life Out the Window

  18. Pingback: A plea to WordPress plugin developers | Barn2 Media

  19. Pingback: Configuring RoyalSlider for Retina | Matthew Happen

Leave a Reply

Please note that WPCandy is a moderated community.

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>