Over the weekend a vulnerability was discovered in the TimThumb image resizing script. On Monday Mark Maunder, the CEO of Feedjit and the one who originally discovered the issue, blogged about his site becoming compromised and how he discovered TimThumb was the weakness that allowed it to happen. Since that blog post the issue has been confirmed by TimThumb’s creator and patches have been published in an attempt to fix the problem.
TimThumb is a script primarily used for on-the-fly resizing and cropping of images, though another feature allows images from remote websites to be fetched and cropped as well, storing them on the server. The list of allowed remote websites is listed within the plugin, and checked against any fetched files.
As John Ford explained on the VaultPress blog, TimThumb’s vulnerability “allows third parties to upload and execute arbitrary PHP code in the TimThumb cache directory.” This file would allow the attacker to further compromise the site in any way. VaultPress further recommended deleting the TimThumb file from any sites that don’t explicitly require them, and updating it in cases where they do. Ford also recommended using the built-in WordPress functions such as add_image_size to resize images, avoiding TimThumb entirely.
Sucuri Security’s David Dede echoed Ford’s statement, saying “if theme/plugin authors were properly leveraging add_image_size vs. adding TimThumb they would be in a safer position today.”
Sucuri also provided a list of a few dozen themes within the WordPress.org theme directory that are using the TimThumb script in some way. According to a chat in the wordpress-dev IRC channel yesterday, TimThumb may be explicitly restricted via the theme review guidelines soon. Authors of any compromised themes were going to be contacted, and if necessary, their themes updated by the team at WordPress.org.
TimThumb can be used in any PHP environment, on any content management system, though it is known for being extremely popular in commercial WordPress themes. As the news has spread this week a number of WordPress theme shops have responded.
WooThemes published instructions for updating the TimThumb scripts within their themes. Their themes were updated, though version numbers weren’t bumped. Graph Paper Press, ThemeShift, and ThemeLab have updated the versions of TimThumb within their themes as well. Elegant Themes has published updates to their themes to remove TimThumb from them entirely.
TimThumb was originally developed by a friend of Darren Hoyt’s name Tim, though development is currently run by WordPress developer Ben Gillbanks. Since the news of the vulnerability he has been working to update it via its Google Code Project.
Security issues are never fun. Have you used TimThumb in a client’s project, or used it within a theme of your own? Have you spent any time this week updating sites to repair this vulnerability?
Glad, that i’m on safer side. Using Thesis and Genesis and they are unaffected.
Actually Thesis uses TimThumb (and a very old version at that). Check out this image on your website that I grabbed from your homepage. That’s TimThumb all the way (albeit renamed)
Yup, older versions of thesis theme used Timthumb. Being a wordrpess theme developer, I had to strip those timthumb functions from the client’s website and replaced it with our own image generating function rtp_generate_thumbs(), which is a part of an awesome theme framework, rtpanel
Whenever I read comments such as those by John Ford that developers should use the built in WP API there’s never any examples to back it up. In my experience (and I’m happy to be proven wrong) the in-built functions in WP only apply to the standard use-case (where images are displayed from a standard blog post) – but some websites need the ability to resize images on the fly, either because of many different variations in size or more likely because images are taken from those embedded in a page – more typical of a buddypress or MU environment. We don’t all use WP for blogging…
Could you either avoid perpetrating the illusion of WP’s infinite dexterity or illustrate such claims with a few examples, as I imagine anyone new to WP must be thoroughly confused…
Mark Jaquith has a nice post from back at 2.9 that goes over a number of ways to use the built-in functions. I’ve used his examples to have a number of thumbnail sizes that, for my own use cases (dating back to freelance client work), has never fallen short of what I wanted to achieve.
I read Ford’s and Dede’s comments to be more about the relative safety of functions, more than the functionality itself. Any time something foreign or third party is introduced, you have to weight the cost/benefit of what you’re getting.
Thanks Ryan, I was aware of post_thumbnails but haven’t used them in most of our sites because it depends on creating these images at the time they are ‘originally’ uploaded.
In all due respect to those developers who claim to have a robust solution (without using timthumb), in the 14 comments on this post so far nobody has actually said *how* they perform dynamic image resizing – all I ever hear is “..I’ve got a solution…” without seeing any concrete examples.
I can appreciate that some of the commenters are commercial theme developers who’d like to reserve a little bit of IP that differentiates their themes from competitor offerings, but this ‘issue’ is so widespread that it surely transcends the boundaries of commercial gain.
Dont take the criticism personally, I’m just curious as to why I’ve never come across a tutorial or discussion which explores the topic of dynamic image resizing using WP core functionality…
To overcome that problem, you have the option to use a very simple plugin called Regenerate Thumbnails for any of your images uploaded in the past! — And to answer your second point, there are quite a number of places to visit for information on using the built-in WordPress function!
As I said I am well aware of how post_thumbnails work and the availability of the ‘Regenerate Thumbnails’ plugin – none of these answer the point I raised.
Many developers have concluded that a dynamic real-time script such as timthumb offers the best solution (myself included) – even Mark Jaquith’s tutorial acknowledges that being able to resize on the fly would be a useful feature to ‘add’ to the inbuilt post_thumbnail function.
It still seems that most people advocating a pure-WP solution are assuming a linear publishing model and fail to understand the wider usage of WordPress as a CMS platform..
Just to add to the comment about Mark Jaquith talking about being able to dynamically resize images. He did actually contact me over a year ago to talk about TimThumb and how similar technologies could be used in WordPress, however it seems nothing ever came of it.
There are many limitations with using add_image_size as this feature is only for Post Thumbnails. We use TimThumb on our themes as it can re-size on the fly any image to any dimension, also if you need to add more than 1 featured image per post you can run into a problem there as well using the native resizer.
We like the idea of using the WordPress native resizer but because of the limitations we cannot for our themes.
It would be great if the features that TimThumb is capable of could be brought over to WordPress Core.
I’m sure patches would be more then welcome, although similar to what Ryan said in reply to Steve above, are any of your limitations possibly addressed within the post and/or comments?
There are no limitations with WP images resizing support. I use it with my xScape Theme Framework and it works great if used properly. Pixel precise resizing is not an issue and it doesn’t require add_image_size function at all.
I agree with @Adam about that.
The add_image_size has many limitations as he wrote. More than that, using it will increase storage size in many cases, since add_image_size will crop any image that is being uploaded to the media library to all sizes, which in many cases is not needed.
TimThumb is a very important and useful script, I hope that the fixes to the script are now minimizing risks of vulnerability.
Thanks for your post.
WP has everything you need to resize images and not to be slowed down by TimThumb. If you use WP functions for this as they are intended, you can do pretty much anything with image resizing and even save some server processing time since you will not need to use TimThumb that for each displayed image needs to use PHP to get it from cache or resize it on the fly.
My xScape Theme Framework has full support for WP resizing and image manipulation built in, and it works great. TimThumb is not needed and shouldn’t be use at all. I know that is easier to use it that to write a bit more code that uses WP nativ image support, but trust me, it’s worth it.
Yeah, I’m guessing developers that “need” TimThumb just don’t understand all the cool image features WP has added in the past few versions. Maybe a tutorial is in order??
- How would you avoid creating each uploaded image in all image_sizes, if not needed? There might be images that you won’t need in all sizes, in a site that has a lot of images, it can really increase storage with for actual need.
- How would you create sizes of images that needed to be created *after* an image already been uploaded to the library?
Please give concrete example, if you believe WP has “everything” that needed for every scenario that could be. WP is great and has a lot inside, yet it’s not perfect. No CMS is.
Don’t confuse theme development with plugin development.
And, don’t put words into my mouth.
But, if you really want me to, I’ll open up a slot in my upcoming work schedule. I’ll gladly take a job building those plugins for you.
To my knowledge, the_post_thumbnail() can resize images on the fly If you pass the size as an argument inside the_post_thumbnails() rather than using a preset image size using add_image_size(). Please correct me if I’m wrong there. The only thing I know it doesn’t offer is a way to crop from the top of the image (rather than the center) and to sharpen images that are resized. In my opinion, adding those two options would be extremely useful.
Off topic but related: One plugin that I use A LOT for adding multiple post images is the Multiple Post Thumbnails plugin which gives developers a simple way to add support for extra post images when you require different images for different uses.
That’s very interesting to hear – I will have to read up on that as it could solve many things.
As far as I was aware the_post_thumbnail allows you to request any size and then sends you back an image element containing a larger image with width and height set to your specified sizes. Perhaps I misunderstood though and will need to read up on things to see for sure.
If you take a look here:
http://core.trac.wordpress.org/browser/tags/3.2.1/wp-includes/media.php
There are quite a few interesting WP functions for image handling. If you take a look at line 406 of that file, you’ll see there is a function called
image_resize()which essentially replaces Timthumb’s image script. Here’s a snippet:* Scale down an image to fit a particular size and save a new copy of the image.
*
* The PNG transparency will be preserved using the function, as well as the
* image type. If the file going in is PNG, then the resized image is going to
* be PNG. The only supported image types are PNG, GIF, and JPEG.
*
* Some functionality requires API to exist, so some PHP version may lose out
* support. This is not the fault of WordPress (where functionality is
* downgraded, not actual defects), but of your PHP version.
image_resize( $file, $max_w, $max_h, $crop = false, $suffix = null, $dest_path = null, $jpeg_quality = 90 )I had switched all my themes from TimThumb to WPThumb a while back, easier to use (and no multisite drama), implement from here:
https://github.com/humanmade/WPThumb
We check WPThumb for our themes. Thanks.
I have had a client site get hacked, and as a designer (and not a code developer) I had no idea where to begin. The client called with the dreaded phone call intro… “uh, hey, can you take a look at my site… it’s not loading…”. I investigated, confirmed it was down, then tried to make heads or tails of where to begin. It felt like the house had burned down… all the women and children were freaking out and the men where left with hats in hands, unsure what to do. The damage was done.
It took me a while to get the site back online, but it was akin to having to do my own arson investigation to realize a tiny, yet very serious wiring problem in one small appliance had a vulnerability. It was difficult to crack the case with no knowledge of this kind. But I had to do it so we wouldn’t rebuild the house and unknowlingly repeat the same mistake.
After this incident I’m still not a developer, but I know a few tricks more than I did before regarding backing up, exporting and restoring a WP site. Yet I still dread vulnerability stories like this one.
Concluding thought:
Rather than reading (the few) comments on here where people argue about the differences between wiring versus architecture, what would be a great benefit to this community would be perhaps some links to posts on how to improve ones overall understanding of WP security. I tip my hat bigtime to those of you who code for a living, but I do not have the time to spend to learn to hardcore code like you guys do. I am very interested here in WP security (for the non-developer). It could be like teaching fire safety to kids and their parents in the hopes that the educational benefit will help prevent fire.
So Ryan, when will the WP Security series begin here at WP candy? It could start out as random articles, but over time perhaps as a body of posts could be organized into an ordered list of posts. I think there is a lot of potential here for attracting more people to this site (and the possible related benefaction). I would rather something like that than some of the alternatives, which can feel slimy. IE: someone offering to sell bottles of water to the devastated women and children standing next to their burned out house.
This is just an idea, and as George Carlin (RIP) said “I got a lot of good ideas. Problem is, most of ‘em suck.”
For WP Security you can start from my 6 parts guide:
http://www.dev4press.com/2010/blog/general/ultimate-guide-to-wordpress-security/
Milan,
This looks good. I am reading the first article now. Thanks for posting this! It’s very helpful to get a 50,000 foot view of the overall issue, then be given specifics to dive into and understand from there. Anyone else who reads this… Milan appears to have a nicely formatted security series here.
Thanks again
Thanks, and if you need some additional questions, leave the comment, and I can even write more articles to expand on the issues. Security is becoming more and more important and there is not enough help for all the potential problems that can happen.
@TheEagle:
Great analogy. Dealing with a hacked site also feels like coming home to a ransacked house.
If you find you need to get even deeper into security, I came across a review of a WP security book that looks good: http://www.mauiwp.com/wordpress-3-ultimate-security-book-review/
I’m amazed that so many commercial theme companies included TimThumb without doing any sort of security audit on the code they were including. It seems like these issues could have been caught a long time ago and brought to the developers attention.
That’s an excellent point.
Typically developers do that because they figure if it is so wildly popular – it must be secure. I’m actually surprised it took so long to expose that particular vulnerability. Seemed pretty obvious once you look at how Timthumb works.
Pingback: TimThumb, security, and the future of Portfolio Slideshow Pro - Raygun
Pingback: New Stuff: 14 Themes, 9 Bits of News, 4 Coupons, 1 Giveaway and a Partridge in a Pear Tree | ThemeSorter Blog
Pingback: TimThumb vulnerability? | AppThemes Forum
Since timthumb.php can be included under different names, which string should I look for in *.php files to sweep a whole server for timthumb based scripts?!
Moveover, any links on how to fix this vulnerability by directly editing timthumb.php?
Thanks!
here is the fix: http://markmaunder.com/2011/08/01/zero-day-vulnerability-in-many-wordpress-themes/
Just update to the latest version of TimThumb – it has all the fixes and more implemented
Pingback: Web Downtime – Cause: Timthumb Vulnerability Scanning | Oikos
It would be nice if we could use add_image_size in the same fashion, but that only impacts images uploaded after the fact… with the dynamic resizing we can set the sizes at any time….
I don’t know how to say thanks..I have installed the timthumb scanner and removed the out dated plugin.Great article…
Wow, many thanks for this article and these posts!
I think you all avoided me a huge headache down the line.
Thanks again!
Richard.
Yeah I just found out my server has been compromised. After further investigations, it was found that attackers got in through timthumb and took control of my server. Which resulted in hugeee bandwidth usage..3200GB in one day. There must be a way to secure it, I don’t know but my theme uses it.
Pingback: True story: How website clutter can get your site hacked » ClickWP
Pingback: 6 Wordpress Security Tips to Help You Sleep at Night | lukaspleva.com
Pingback: Wordpress Users Beware | Life Out the Window
Pingback: A plea to WordPress plugin developers | Barn2 Media
Pingback: Configuring RoyalSlider for Retina | Matthew Happen