WARNING: Zero Day Vulnerability Found on Timthumb.php


TimThumb Zero Day Vulnerability

A zero day vulnerability has been recently found on TimThumb, a popular image resizing utility widely used in a lot of WordPress themes. This issue was first discovered and reported by Mark Maunder after his blog got hacked via the timthumb.php file/script.

The TimThumb zero day vulnerability allows malicious users, hackers and other third parties to upload and run PHP code in the timthumb cache directory. When the uploaded PHP code is run and executed, the attacker can do whatever they want with the affected site or blog.

Recommended measures:

If You Use TimThumb
If your current WordPress theme is using timthumb.php, make sure that you update to the latest version of TimThumb and to reglularly check on the official TimThumb site for updates and announcements.

Aside from updating the TimThumb file there’s another thing you need to do. Open up the timthumb.php or thumb.php file with a text editor and look for this line ALLOW_EXTERNAL and make sure that the value is set to FALSE.

Once ALLOW_EXTERNAL is set to FALSE, next thing to do is remove the domains inside the $allowedSites array to ensure that remote file downloading is disabled:

Before

After

If You Do Not Use TimThumb
If you don’t use or need timthumb.php but have other WordPress themes stored in your wp-content/themes folder that uses timthumb.php, it is recommended that the timthumb.php or thumb.php file or even the entire theme or plugin folder be deleted/removed from your web server.

The theme I’m using here on JaypeeOnline – FreshNews by WooThemes uses TimThumb. After reading about this vulnerability, I immediately removed the thumb.php file and replaced it with an updated one. I was worried that I was using a very old version of TimThumb and that upgrading might mess up my blog but after the upgrade, I checked all the thumbnails and everything seems to be working fine. I also removed everything related to the old version of TimThumb and cleared the the cache.

If you want to know more about the TimThumb zero day vulnerability, how it was discovered and other additional info, check out Mark Maunder’s blog post.

Owner and editor of JaypeeOnline. Self-proclaimed geek. New media writer and consultant. WordPress advocate. Loves blogging, gadgets, video games and sports. You can follow him on Google+, Facebook or Twitter.

7 Comments

  1. Jayr

    September 29, 2012 at 3:43 AM

    I already encountered this timthumb on my client’s wordpress website.

  2. Sourish @ Iphone 4 jailbreak

    August 7, 2011 at 4:18 PM

    thanks for the update , im upgrading now .

  3. John Garrett

    August 4, 2011 at 3:53 PM

    Holy Hannah! My theme actually does use TimbThumb so I’m off to update it right now. Good looking out man!

    • JP Habaradas

      August 5, 2011 at 10:40 AM

      @John – It’s good that you checked and found out your theme uses TimThumb. We really need to be careful these days as hackers and other malicious users are getting more clever and finding new ways to do their stuff. You’re welcome! Glad I could share this with you and other WordPress users.

      • Sourish @ Iphone 4 jailbreak

        August 9, 2011 at 6:07 PM

        i searched but didnt find anything of that name. nothing inside the theme folders. are they somewhere else ?

  4. jehzlau

    August 4, 2011 at 1:28 PM

    Good thing I don’t use timthumb. :)

    • JP Habaradas

      August 5, 2011 at 10:39 AM

      @jehzlau – Good for you. However, there are tons of WordPress themes out there (both free and premium) that use the TimThumb script and millions of users using those themes.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">