TimThumb Zero Day Vulnerability

A zero day vulnerability has been recently found on TimThumb, a popular image resizing utility widely used in a lot of WordPress themes. This issue was first discovered and reported by Mark Maunder after his blog got hacked via the timthumb.php file/script.

The zero day vulnerability allows malicious users, hackers and other third parties to upload and run PHP code in the timthumb cache directory. When the uploaded PHP code is run and executed, the attacker can do whatever they want with the affected site or blog.

Recommended measures:

If You Use TimThumb
If your current WordPress theme is using timthumb.php, make sure that you update to the latest version and to reglularly check on the official site for updates and announcements.

Aside from updating the TimThumb file there’s another thing you need to do. Open up the timthumb.php or thumb.php file with a text editor and look for this line ALLOW_EXTERNAL and make sure that the value is set to FALSE.

define ('ALLOW_EXTERNAL', FALSE);

Once ALLOW_EXTERNAL is set to FALSE, next thing to do is remove the domains inside the $allowedSites array to ensure that remote file downloading is disabled:

Before
$allowedSites = array (
'flickr.com',
'picasa.com',
'img.youtube.com',
);

After
$allowedSites = array ();

If You Do Not Use TimThumb
If you don’t use or need timthumb.php but have other WordPress themes stored in your wp-content/themes folder that uses timthumb.php, it is recommended that the thumb.php file or even the entire theme or plugin folder be deleted/removed from your web server.

The theme I’m using here on JaypeeOnline – FreshNews by WooThemes uses TimThumb. After reading about this vulnerability, I immediately removed the thumb.php file and replaced it with an updated one. I was worried that I was using a very old version of the plugin and that upgrading might mess up my blog but after the upgrade, I checked all the thumbnails and everything seems to be working fine. I also removed everything related to the old version of TimThumb and cleared the cache.

If you want to know more about the zero day vulnerability, how it was discovered and other additional info, check out Mark Maunder’s blog post.

JaypeeOnline is supported by its audience. When you click on the advertisements or purchase through links on our site, we may earn an affiliate commission. Learn more

Share:

administrator

Owner and editor of JaypeeOnline. Self-proclaimed geek. New media writer and consultant. WordPress advocate. Loves blogging, gadgets, video games and sports. You can follow him on Facebook or Twitter.

7 Comments

  • Jayr, September 29, 2012 @ 3:43 AM Reply

    I already encountered this timthumb on my client’s wordpress website.

  • Sourish @ Iphone 4 jailbreak, August 7, 2011 @ 4:18 PM Reply

    thanks for the update , im upgrading now .

  • John Garrett, August 4, 2011 @ 3:53 PM Reply

    Holy Hannah! My theme actually does use TimbThumb so I’m off to update it right now. Good looking out man!

    • JP Habaradas, August 5, 2011 @ 10:40 AM Reply

      @John – It’s good that you checked and found out your theme uses TimThumb. We really need to be careful these days as hackers and other malicious users are getting more clever and finding new ways to do their stuff. You’re welcome! Glad I could share this with you and other WordPress users.

      • Sourish @ Iphone 4 jailbreak, August 9, 2011 @ 6:07 PM Reply

        i searched but didnt find anything of that name. nothing inside the theme folders. are they somewhere else ?

  • jehzlau, August 4, 2011 @ 1:28 PM Reply

    Good thing I don’t use timthumb. :)

    • JP Habaradas, August 5, 2011 @ 10:39 AM Reply

      @jehzlau – Good for you. However, there are tons of WordPress themes out there (both free and premium) that use the TimThumb script and millions of users using those themes.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.