Over the weekend a vulnerability was discovered in the TimThumb image resizing script. On Monday Mark Maunder, the CEO of Feedjit and the one who originally discovered the issue, blogged about his site becoming compromised and how he discovered TimThumb was the weakness that allowed it to happen. Since that blog post the issue has been confirmed by TimThumb’s creator and patches have been published in an attempt to fix the problem.
TimThumb is a script primarily used for on-the-fly resizing and cropping of images, though another feature allows images from remote websites to be fetched and cropped as well, storing them on the server. The list of allowed remote websites is listed within the plugin, and checked against any fetched files.
As John Ford explained on the VaultPress blog, TimThumb’s vulnerability “allows third parties to upload and execute arbitrary PHP code in the TimThumb cache directory.” This file would allow the attacker to further compromise the site in any way. VaultPress further recommended deleting the TimThumb file from any sites that don’t explicitly require them, and updating it in cases where they do. Ford also recommended using the built-in WordPress functions such as
add_image_size to resize images, avoiding TimThumb entirely.
Sucuri Security’s David Dede echoed Ford’s statement, saying “if theme/plugin authors were properly leveraging
add_image_size vs. adding TimThumb they would be in a safer position today.”
Sucuri also provided a list of a few dozen themes within the WordPress.org theme directory that are using the TimThumb script in some way. According to a chat in the wordpress-dev IRC channel yesterday, TimThumb may be explicitly restricted via the theme review guidelines soon. Authors of any compromised themes were going to be contacted, and if necessary, their themes updated by the team at WordPress.org.
TimThumb can be used in any PHP environment, on any content management system, though it is known for being extremely popular in commercial WordPress themes. As the news has spread this week a number of WordPress theme shops have responded.
WooThemes published instructions for updating the TimThumb scripts within their themes. Their themes were updated, though version numbers weren’t bumped. Graph Paper Press, ThemeShift, and ThemeLab have updated the versions of TimThumb within their themes as well. Elegant Themes has published updates to their themes to remove TimThumb from them entirely.
TimThumb was originally developed by a friend of Darren Hoyt’s name Tim, though development is currently run by WordPress developer Ben Gillbanks. Since the news of the vulnerability he has been working to update it via its Google Code Project.
Security issues are never fun. Have you used TimThumb in a client’s project, or used it within a theme of your own? Have you spent any time this week updating sites to repair this vulnerability?