TimThumb is small php script designed for cropping, zooming and dealing with images on the web. Although WordPress has it’s own image manipulation capabilities, TimThumb seems to remain very popular among free and premium WordPress theme developers. Not for too long though, an issue has been filed for TimThumb version 1.28 and trunk, which apparently gives the attacker shell access to the server hosting the script.
Seems like this is being caused by the cache directory, where TimThumb puts any provided script, even if it’s not an image. Here’s a quote from the reporter:
Load remote file http://blogger.com.example.com/attack.php file so it gets stored in cache dir. If attack.php is a hacker shell app like Alucar shell, you have access to the server with whatever priveleges the web server account has. e.g. you can read /etc/passwd
The #wordpress-dev channel had a short discussion about this yesterday where Otto mentioned that all version are vulnerable. Indeed, Andrew Nacin’s response was:
I’m fine with taking down themes that use it now.
You can view the IRC logs if interested, but anyway.. This doesn’t yet mean that all the themes have been taken down, and a solution for a script to patch theme all is being looked for.
Meanwhile, we suggest theme developers to look for a patch and update their themes as soon as possible, before their customers (or users) are affected. It’s also worth notifying customers to update to the latest versions too, since some might not bother. Oh, and this doesn’t affect WordPress themes only, so watch out ;)
What are your thoughts on this security hole? Are you using TimThumb in your projects? Have you patched your theme and how did the upgrade go? Was your theme taken down from the WordPress.org repository? Share your thoughts in the comments section below or tip us about it via Twitter.
Updates on the issue
Update: (08/03) As Dion Hulse pointed out today, a lot of the themes are using much older versions of the script which are not vulnerable, but might have other bugs and issues. This probably means that there won’t be a major cleanup or lockdown of the WordPress.org repository. Still, if you use TimThumb you should double-check your theme.
Update: (08/03) As reported by WooThemes the trunk version of TimThumb seems to fix the security issue. It’s also likely that some of WooTheme’s themes (or some of their versions) rely on the vulnerable version of TimThumb, which is why they highly recommend upgrading. That was fast, good job WooThemes!
Update: (08/03) Seems like ThemeShift has been affected too. If you’re using any of their themes (7 of them use TimThumb) you should follow their blog post to see if yours was affected and the correct way to fix it. Good job ThemeShift!
Update: (08/03) Media Temple have released a security tip with a slick video and a great explanation about the problem and the possible solutions. Well done!
Update: (08/03) Elegant Themes rolled out their TimThumb vulnerability & security update post a few hours ago. Seems like they have abandoned TimThumb in favor of WordPress’ native functionality but some of their old themes (or their versions) are still using it.
Further reading and sources:
Thanks for the update!
No problem Elliot, your comment went into spam for some reason, you might want to try using a different name next time ;) Just letting you know…
Considering how many themes I’ve used over the last few years that have included TimThumb, this post does ot make me happy. Appreciate the information nonetheless.
Rebecca, not all versions of TimThumb were affected and it also seems like the current trunk version fixes the issue, so you might as well run a quick version check on your live websites. Thanks for your comment!
Pingback: Theme Updates Due to TimThumb Vulnerability → ThemeShift.com
The last version available here doesn’t seems to correct the problem https://code.google.com/p/timthumb/source/browse/trunk/timthumb.php
// external domains that are allowed to be displayed on your website $allowedSites = array ( 'flickr.com', 'picasa.com', 'img.youtube.com', );is still available, watch out
Thanks for the heads up FxBe! We’ll keep watching that!
That piece of code is in no direct relation to the zero-day. The vulnerability revolved around the actual checking of whether domain is one of the $allowedSites and the caching of dangerous filetypes. Trunk r143 (August 2nd) on line 668 added an additional check to the domain in order to circumvent the http://blogger.com.hacker.com bypass. You can view the commit here: http://code.google.com/p/timthumb/source/diff?spec=svn143&old=142&r=143&format=unidiff&path=%2Ftrunk%2Ftimthumb.php and before that r141 (July 29th) inserted mimetype checking code around line 704, that would not allow anything but jpg|jpeg|gif|png to be pulled in.
On another note, TimThumb has been rewritten by the original zero-day discovery author Mark Maunder as of r152 (August 5th, 2011) and is now referred to as TimThumb 2.0. r164 has // If ALLOW_EXTERNAL is true and ALLOW_ALL_EXTERNAL_SITES is false, then external images will only be fetched from these domains and their subdomains. followed by the $allowedSites array (now called $ALLOWED_SITES) and the ALLOW_ALL_EXTERNAL_SITES is set to false by default.
So basically anything after r143 is considered to have overcome the original zero-day. But I still do recommend to always keep your plugins up to date with the trunk.
I was actually considering in implementing this script for my site. good thing I read this ! Thanks Konstantin
Hey Sergiu, perfect timing, eh? You’re welcome and thanks for your comment!
If you use the allowedSites it isn’t possible to upload something external? or am i wrong?
Seb, you’re right, that’s how it was intended to be, but the implementation was wrong afaik. If an external site was flickr.com, the check passed through flickr.com.yourown.domain.com, that’s the vulnerable part. Hopefully they’ve fixed it in the latest update.
There is absolutely nothing that TimThumb does what WordPress Post Thumbnails can’t do or replicate. Never really been big fan of TimThumb nor ever implemented in any of the Themes. With all do respect to author of the script, I am going to stick with good old WordPress stuff.
Post Thumbnails exist since 2009 (version 2.9) and I really don’t get why anyone integrates things that already exist in WordPress? It’s not like Post Thumbnails are harder to work with or to add a support.
I remember back in 08-09 people complaining about issues with this, at that time it was a huge deal with Hosting providers, for instance HostGator when in the order to use TimThumb you had to whitelist your domain mod_security rules due to well, security issues. And ever since, people just don’t listen I guess.
Once again I respect the author, just don’t like the script or anything else out there that could compromise sites :-)
Cheers,
Emil
Emil, thanks for your comment, you will hopefully love our follow-up post about images in WordPress ;)
I already loved it ;)
i’m about to buy some wP themes, how do I know which ones have tim thumb?
Michael, you should read the documentation, preferably the technical part, look at how thumbnails are created, read the FAQ and the forums if any, ask the seller directly. What kind of theme are you looking for? Here’s a business one that doesn’t use TimThumb ;) Cheers!
It would be nice if we could use add_image_size in the same fashion, but that only impacts images uploaded after the fact… with the dynamic resizing we can set the sizes at any time….
Chetan, there’s a great plugin by Alex Mills (Viper007Bond) called Regenerate Thumbnails which will fix all the image sizes currently in use. It can take quite some time though if you’ve got a lot of media and get ready for some intensive CPU work :)
Pingback: Tim Thumb — EugeneDunkley.com