TimThumb is small php script designed for cropping, zooming and dealing with images on the web. Although WordPress has it’s own image manipulation capabilities, TimThumb seems to remain very popular among free and premium WordPress theme developers. Not for too long though, an issue has been filed for TimThumb version 1.28 and trunk, which apparently gives the attacker shell access to the server hosting the script.
Seems like this is being caused by the cache directory, where TimThumb puts any provided script, even if it’s not an image. Here’s a quote from the reporter:
Load remote file http://blogger.com.example.com/attack.php file so it gets stored in cache dir. If attack.php is a hacker shell app like Alucar shell, you have access to the server with whatever priveleges the web server account has. e.g. you can read /etc/passwd
The #wordpress-dev channel had a short discussion about this yesterday where Otto mentioned that all version are vulnerable. Indeed, Andrew Nacin’s response was:
I’m fine with taking down themes that use it now.
You can view the IRC logs if interested, but anyway.. This doesn’t yet mean that all the themes have been taken down, and a solution for a script to patch theme all is being looked for.
Meanwhile, we suggest theme developers to look for a patch and update their themes as soon as possible, before their customers (or users) are affected. It’s also worth notifying customers to update to the latest versions too, since some might not bother. Oh, and this doesn’t affect WordPress themes only, so watch out ;)
What are your thoughts on this security hole? Are you using TimThumb in your projects? Have you patched your theme and how did the upgrade go? Was your theme taken down from the WordPress.org repository? Share your thoughts in the comments section below or tip us about it via Twitter.
Updates on the issue
Update: (08/03) As Dion Hulse pointed out today, a lot of the themes are using much older versions of the script which are not vulnerable, but might have other bugs and issues. This probably means that there won’t be a major cleanup or lockdown of the WordPress.org repository. Still, if you use TimThumb you should double-check your theme.
Update: (08/03) As reported by WooThemes the trunk version of TimThumb seems to fix the security issue. It’s also likely that some of WooTheme’s themes (or some of their versions) rely on the vulnerable version of TimThumb, which is why they highly recommend upgrading. That was fast, good job WooThemes!
Update: (08/03) Seems like ThemeShift has been affected too. If you’re using any of their themes (7 of them use TimThumb) you should follow their blog post to see if yours was affected and the correct way to fix it. Good job ThemeShift!
Update: (08/03) Media Temple have released a security tip with a slick video and a great explanation about the problem and the possible solutions. Well done!
Update: (08/03) Elegant Themes rolled out their TimThumb vulnerability & security update post a few hours ago. Seems like they have abandoned TimThumb in favor of WordPress’ native functionality but some of their old themes (or their versions) are still using it.
Further reading and sources: