Peter Butler, WordPress developer and the mind behind security monitoring service Code Garage, has released a plugin to search for any vulnerable instance of TimThumb. Butler’s plugin will also, if you wish (and you should) offer a one click option to upgrade the outdated copy of TimThumb.
The TimThumb vulnerability was news over a month ago now, and was called “the security event of the year” by Matt Mullenweg in his State of the Word keynote this year. In other words, you should fix this problem if you still have it.
Butler explained to WPCandy that he developed and released the plugin because he can’t help everyone who has been contacting him about the problem:
I literally don’t have enough time in the day to clean up all the hacked sites people are sending my way over the past couple of weeks, and the vast majority of them have happened because of the TimThumb exploit.
When I tell people why their sites got hacked, many of them have even heard about the vulnerability, but just assumed the risk was small, or decided they couldn’t figure out how to fix it themselves (which is ludicrous, because it’s so easy).
As a result, his TimThumb Vulnerability Scanner plugin is now available in the WordPress.org plugin directory. Butler also recorded a quick screencast for the plugin which you can watch just after the jump.
Last week we reported that Mark Maunder, the developer who discovered the security issue with TimThumb, had forked TimThumb into WordThumb which he hoped would fix the problems found within TimThumb. Shortly after forking the project he decided to move the project back into TimThumb, making TimThumb 2.0 a collaborative project between he and Ben Gillibanks.
Maunder says he was convinced to merge the project back into TimThumb by Matt Mullenweg. Mullenweg commented on the events on his blog, saying “the incident brought out the best in the community” and the merging of the projects is “a collaboration that exemplifies Open Source at its finest.”
Mullenweg’s thingamajig service VaultPress took the initiative last week to fix over 700 of their users’ compromised websites running the TimThumb script, emailing compromised users to notify them of the updates.
Mark Maunder, the developer who discovered and blogged about the TimThumb vulnerability has himself done a full rewrite of TimThumb and forked it as WordThumb on Google Code. Everything but the original TimThumb image processing has been rewritten, Maunder says.
The full list of all changes have been posted to Maunder’s blog, and it mentions a handful of them. WordThumb is backward compatible with TimThumb’s options, so switching to it from TimThumb is possible. Overall it seems Maunder is attempting to further secure, and generally improve, Ben Gillbank’s TimThumb script.
Will you try out the newly available WordThumb? Do you think those who have used TimThumb in the past, particularly WordPress theme developers, will consider WordThumb now and make the swap?
Over the weekend a vulnerability was discovered in the TimThumb image resizing script. On Monday Mark Maunder, the CEO of Feedjit and the one who originally discovered the issue, blogged about his site becoming compromised and how he discovered TimThumb was the weakness that allowed it to happen. Since that blog post the issue has been confirmed by TimThumb’s creator and patches have been published in an attempt to fix the problem.
TimThumb is a script primarily used for on-the-fly resizing and cropping of images, though another feature allows images from remote websites to be fetched and cropped as well, storing them on the server. The list of allowed remote websites is listed within the plugin, and checked against any fetched files.
As John Ford explained on the VaultPress blog, TimThumb’s vulnerability “allows third parties to upload and execute arbitrary PHP code in the TimThumb cache directory.” This file would allow the attacker to further compromise the site in any way. VaultPress further recommended deleting the TimThumb file from any sites that don’t explicitly require them, and updating it in cases where they do. Ford also recommended using the built-in WordPress functions such as
add_image_size to resize images, avoiding TimThumb entirely.