TimThumb Zero Day Vulnerability Affects Hundreds of WordPress Themes

The WordPress community has been going frantic this morning after it was discovered that there is a security vulnerability in the popular TimThumb script that is used for resizing images. The security hole gives intruders access to the server hosting the script. A number of people have already found themselves to be hacked, including the original developer of the script.

The issue was discussed last night in the IRC Development Chat with an early decision being made that all themes using the script should be suspended and that a patch should be pushed out (update: this hasn’t been agreed by the theme review team yet). In fact, the trunk version of the script has already been updated to fix the problem. This raises all sorts of questions about what sort of scripts will be allowed in the theme directory in the future.

How Does This Affect Me?

Tim Thumb theme fileIf you are using timthumb in your theme or plugin then update it. Grab the latest version from the trunk and paste in the code to replace the insecure version. It is as simple as that.

Timthumb is a very, very popular script and so it is worth checking to see if you are using it in your theme. If you are resizing a lot of images as thumbnails then it’s quite possible that it is being used. Of course, these days WordPress can do this itself but TimThumb does increase flexibility.

To find out if you are using TimThumb go to Appearance > Editor and look for a theme file called timthumb.php or thumb.php.

Replace the old script with the new one

Copy the code from the updated trunk and paste it into the text editor. Save!

Known Theme Shops Using TimThumb

There are a number of major theme shops using TimThumb. Here are their responses:

  • Woo Themes – update your theme or the code in thumb.php
  • Templatic - thumb.php script does not use $allowedSites so not affected
  • Elegant Themes – update to latest version
  • Theme Shift – update theme or change code to latest version of timthumb
  • Theme Lab – 3 themes using timthumb. Fix provided at link

Remember, if you are using a theme from a theme marketplace such as Mojo Themes or Theme Forest then it is the responsiblity of the individual developer to push out an update. Or you can just fix it yourself.

Know of any more? Let us know so WPMU.org readers are aware.  Just to be clear though – it’s not a bad thing to be using TimThumb so please don’t take this out on theme developers or the developer of TimThumb. It’s a great script that many theme developers have been making money off it and improving their sites for years. In fact, older version of timthumb didn’t have this problem. Just spread the world so that everyone can update to the latest version and we can secure our sites.

(header image CC license from Don Hankins)

Comments (30)

  1. Okay, so I copied the new file contents from and replaced the entire timthumb script in my theme’s timthumb.php file – is this the correct procedure? Or does one just copy and replace a certain section? I am using Elegant Themes and don’t want to use their fix because it gets rid of timthumb entirely, and I like the script…
    Thank you guys for the fix!
    ~ freida

  2. To add to your list of known theme shops, I’ve noticed that Themify.me also uses a version of TimThumb. They have issued new versions of their themes with the updated script, BUT they do not push a notification to users in their dashboard. You actually have to go to their website and re-download and re-install the theme manually.
    Also Headway uses TimThumb but issued an update to fix it which you can install from your dashboard

  3. We use timthumb on our Mu and Kappa theme, and have now updated them.

    Our latest theme, Xi does not use timthumb. There is less of a need for it, as you can use WordPress to generate thumbnails of different sizes. The only downside of using native thumbs is that you have to regenerate thumbs when you change themes.

  4. I would strongly suggest you update to the latest version rather than patch the particular hole. I have found a second 0day that occurs in all versions before timthumb 2, which was released August 6.

  5. Hello! I have a lot of sites that use timthumb, do you know which version of timthumb is vulnerable ?
    because I m making a big cleaning here so to know with which site I have to begin!
    Thank you for your answer and have a nice day !

  6. We’ve had several automated attacks (to sites that don’t even use WP), and I was able to compile a list of addresses pretty quickly that appear to use TimThumb:

    /themes/13floor/timthumb.php
    /themes/8q/scripts/timthumb.php
    /themes/a-simple-business-theme/scripts/timthumb.php
    /themes/a-supercms/timthumb.php
    /themes/abstract/functions/thumb.php
    /themes/advanced-newspaper/timthumb.php
    /themes/aerial/lib/timthumb.php
    /themes/aesthete/timthumb.php
    /themes/aggregate/timthumb.php
    /themes/albizia/includes/timthumb.php
    /themes/ambience/functions/thumb.php
    /themes/amphion-lite/script/timthumb.php
    /themes/announcement/functions/thumb.php
    /themes/antisocial/functions/thumb.php
    /themes/aperture/functions/thumb.php
    /themes/apz/functions/thumb.php
    /themes/aqua-blue/includes/timthumb.php
    /themes/aranovo/scripts/timthumb.php
    /themes/arras-theme/library/timthumb.php
    /themes/arras/library/timthumb.php
    /themes/arthem-mod/scripts/timthumb.php
    /themes/arthemia-premium-park/scripts/timthumb.php
    /themes/arthemia-premium/scripts/timthumb.php
    /themes/arthemia/scripts/timthumb.php
    /themes/arthemix-bronze/scripts/timthumb.php
    /themes/arthemix-green/scripts/timthumb.php
    /themes/artisan/includes/timthumb.php
    /themes/artsee/timthumb.php
    /themes/askit/timthumb.php
    /themes/askit_v1.6/askit/timthumb.php
    /themes/atlantis/timthumb.php
    /themes/auld/functions/thumb.php
    /themes/aureola/scripts/timthumb.php
    /themes/aurorae/timthumb.php
    /themes/autofashion/thumb.php
    /themes/automotive-blog-theme/timthumb.php
    /themes/backstage/functions/thumb.php
    /themes/bigeasy/functions/thumb.php
    /themes/bikes/thumb.php
    /themes/biznizz/functions/thumb.php
    /themes/black_eve/timthumb.php
    /themes/blex/scripts/timthumb.php
    /themes/bloggingstream/functions/thumb.php
    /themes/bloggnorge-a1/scripts/timthumb.php
    /themes/blogified/timthumb.php
    /themes/blogtheme/functions/thumb.php
    /themes/blue-corporate-hyve-theme/timthumb.php
    /themes/blue-news/scripts/timthumb.php
    /themes/bluemag/library/timthumb.php
    /themes/boast/functions/thumb.php
    /themes/bold/timthumb.php
    /themes/bold4/timthumb.php
    /themes/boldnews/functions/thumb.php
    /themes/bombax/includes/timthumb.php
    /themes/bookclub/functions/thumb.php
    /themes/boutique/timthumb.php
    /themes/breakingnewz/timthumb.php
    /themes/briefed/functions/thumb.php
    /themes/brightsky/scripts/timthumb.php
    /themes/brochure-melbourne/includes/timthumb.php
    /themes/bueno/functions/thumb.php
    /themes/business-turnkey/assets/js/timthumb.php
    /themes/businesscard/timthumb.php
    /themes/busybee/functions/thumb.php
    /themes/caffeinated/functions/thumb.php
    /themes/calotropis/includes/timthumb.php
    /themes/canvas-buddypress/functions/thumb.php
    /themes/canvas/functions/thumb.php
    /themes/chapters/functions/thumb.php
    /themes/cherrytruffle/timthumb.php
    /themes/cinch/functions/thumb.php
    /themes/cion/timthumb.php
    /themes/cityguide/functions/thumb.php
    /themes/coda/functions/thumb.php
    /themes/coffee-lite/thumb.php
    /themes/coffeebreak/functions/thumb.php
    /themes/coldstone/timthumb.php
    /themes/comet/scripts/timthumb.php
    /themes/conceditor-wp-strict/scripts/timthumb.php
    /themes/constructor/layouts/thumb.php
    /themes/constructor/libs/timthumb.php
    /themes/constructor/timthumb.php
    /themes/continuum/functions/thumb.php
    /themes/cover-wp/scripts/timthumb.php
    /themes/coverht-wp/scripts/timthumb.php
    /themes/crisp/functions/thumb.php
    /themes/cushy/functions/thumb.php
    /themes/dailyedition/functions/thumb.php
    /themes/dailynotes/timthumb.php
    /themes/dark-dream-media/timthumb.php
    /themes/deep-blue/timthumb.php
    /themes/deepfocus/timthumb.php
    /themes/delegate/functions/thumb.php
    /themes/delicate/thumb.php
    /themes/delicatenews/timthumb.php
    /themes/delicatenewsyellow/timthumb.php
    /themes/deliciousmagazine/functions/thumb.php
    /themes/diamond-ray/thumb.php
    /themes/diarise/functions/thumb.php
    /themes/dieselclothings/thumb.php
    /themes/digitalblue/thumb.php
    /themes/digitalfarm/functions/thumb.php
    /themes/dimenzion/timthumb.php
    /themes/diner/functions/thumb.php
    /themes/earthlytouch/timthumb.php
    /themes/echoes/timthumb.php
    /themes/editorial/functions/thumb.php
    /themes/egallery/timthumb.php
    /themes/egamer/timthumb.php
    /themes/elefolio/functions/thumb.php
    /themes/elegantestate/timthumb.php
    /themes/empire/functions/thumb.php
    /themes/enews/timthumb.php
    /themes/ephoto/timthumb.php
    /themes/epione/script/timthumb.php
    /themes/estate/functions/thumb.php
    /themes/estore/timthumb.php
    /themes/evid/timthumb.php
    /themes/evr-green/scripts/timthumb.php
    /themes/exposure/functions/thumb.php
    /themes/f0101/functions/thumb.php
    /themes/famous/megaframe/megapanel/inc/upload.php
    /themes/famous/timthumb.php
    /themes/fashion-style/thumb.php
    /themes/faultpress/functions/thumb.php
    /themes/featurepitch/functions/thumb.php
    /themes/featuring/timthumb.php
    /themes/flashnews/functions/thumb.php
    /themes/fliphoto/timthumb.php
    /themes/flix/timthumb.php
    /themes/fordreporter/scripts/thumb.php
    /themes/forewordthinking/functions/thumb.php
    /themes/freeside/thumb.php
    /themes/fresh-blu/scripts/timthumb.php
    /themes/freshfolio/functions/thumb.php
    /themes/freshnews/functions/thumb.php
    /themes/gazette/functions/thumb.php
    /themes/geometric/functions/thumb.php
    /themes/glow/timthumb.php
    /themes/go-green/modules/timthumb.php
    /themes/gothamnews/functions/thumb.php
    /themes/graduate/timthumb.php
    /themes/granite-lite/scripts/timthumb.php
    /themes/greydove/timthumb.php
    /themes/greyzed/functions/efrog/lib/timthumb.php
    /themes/groovyblog/functions/thumb.php
    /themes/groovyphoto/functions/thumb.php
    /themes/groovyvideo/functions/thumb.php
    /themes/grungemag/timthumb.php
    /themes/gunungkidul/thumb.php
    /themes/headlines/functions/thumb.php
    /themes/heartspotting-beta/thumb.php
    /themes/hmdeepfocus/timthumb.php
    /themes/ideatheme/timthumb.php
    /themes/impressio/timthumb/timthumb.php
    /themes/influx/timthumb.php
    /themes/inspire/functions/thumb.php
    /themes/introvert/thumb.php
    /themes/inuit-types/thumb.php
    /themes/irresistible/functions/thumb.php
    /themes/isotherm-news/thumb.php
    /themes/iwana-v10/timthumb.php
    /themes/jambo/thumb.php
    /themes/jcblackone/thumb.php
    /themes/journey/timthumb.php
    /themes/kaboodle/functions/thumb.php
    /themes/kratalistic/thumb.php
    /themes/life-style-free/thumb.php
    /themes/lightbright/timthumb.php
    /themes/lightsource/timthumb.php
    /themes/likehacker/timthumb.php
    /themes/linepress/timthumb.php
    /themes/listings/functions/thumb.php
    /themes/litepress/scripts/timthumb.php
    /themes/livewire/functions/thumb.php
    /themes/loganpress-premium-theme-1/thumb.php
    /themes/magazine-basic/thumb.php
    /themes/magazinum/scripts/timthumb.php
    /themes/magnificent/timthumb.php
    /themes/magup/timthumb.php
    /themes/mainstream/functions/thumb.php
    /themes/make-money-online-theme-1/scripts/timthumb.php
    /themes/make-money-online-theme-2/scripts/timthumb.php
    /themes/make-money-online-theme-3/scripts/timthumb.php
    /themes/make-money-online-theme-4/scripts/timthumb.php
    /themes/make-money-online-theme/scripts/timthumb.php
    /themes/manifesto/scripts/timthumb.php
    /themes/meintest/layouts/thumb.php
    /themes/memoir/timthumb.php
    /themes/metamorphosis/functions/thumb.php
    /themes/minimal/timthumb.php
    /themes/mobilephonecomparision/thumb.php
    /themes/modest/timthumb.php
    /themes/moi-magazine/timthumb.php
    /themes/mortar/functions/thumb.php
    /themes/mymag/timthumb.php
    /themes/mypage/scripts/timthumb.php
    /themes/myresume/timthumb.php
    /themes/mystique/extensions/auto-thumb/timthumb.php
    /themes/mystream/functions/thumb.php
    /themes/myweblog/functions/thumb.php
    /themes/nash/theme-assets/php/timthumb.php
    /themes/neofresh/timthumb.php
    /themes/neo_wdl/includes/extensions/thumb.php
    /themes/new-green-natural-living-ngnl/scripts/timthumb.php
    /themes/newsport/functions/thumb.php
    /themes/newspress/functions/thumb.php
    /themes/newspress/thumb.php
    /themes/newspro/timthumb.php
    /themes/nool/timthumb.php
    /themes/nova/timthumb.php
    /themes/object/functions/thumb.php
    /themes/omni-shop/timthumb.php
    /themes/onthego/timthumb.php
    /themes/openair/functions/thumb.php
    /themes/optimize/functions/thumb.php
    /themes/overeasy/functions/thumb.php
    /themes/papercut/functions/thumb.php
    /themes/pbv_multi/scripts/timthumb.php
    /themes/pearlie/scripts/timthumb.php
    /themes/personalpress/timthumb.php
    /themes/personalpress2/timthumb.php
    /themes/photofeature/scripts/timthumb.php
    /themes/pico/scripts/timthumb.php
    /themes/placeholder/functions/thumb.php
    /themes/polished/timthumb.php
    /themes/postage-sydney/includes/timthumb.php
    /themes/postcard/functions/thumb.php
    /themes/premiere/functions/thumb.php
    /themes/premium-violet/thumb.php
    /themes/premiumnews/functions/thumb.php
    /themes/primely-theme/scripts/timthumb.php
    /themes/probluezine/timthumb.php
    /themes/productum/functions/thumb.php
    /themes/pronto/cjl/pronto/uploadify/check.php
    /themes/pronto/cjl/pronto/uploadify/uploadify.php
    /themes/proudfolio/functions/thumb.php
    /themes/puretype/timthumb.php
    /themes/quadro/timthumb.php
    /themes/quickstart/timthumb.php
    /themes/r755/thumb.php
    /themes/regal/timthumb.php
    /themes/restorante/timthumb.php
    /themes/retreat/functions/thumb.php
    /themes/rockstar/functions/thumb.php
    /themes/royalle/functions/thumb.php
    /themes/savinggrace/functions/thumb.php
    /themes/sealight/functions/thumb.php
    /themes/shaan/timthumb.php
    /themes/shadow-block/thumb.php
    /themes/shadow/timthumb.php
    /themes/showfolio/timthumb.php
    /themes/simple-but-great/timthumb.php
    /themes/simple-red-theme/timthumb.php
    /themes/simple-tabloid/thumb.php
    /themes/simplenews_premium/scripts/timthumb.php
    /themes/simplepress/timthumb.php
    /themes/simplewhite/timthumb.php
    /themes/simplicity/functions/thumb.php
    /themes/skeptical/functions/thumb.php
    /themes/slanted/functions/thumb.php
    /themes/slidette/timthumb/timthumb.php
    /themes/snapshot/functions/thumb.php
    /themes/snapwire/timthumb.php
    /themes/snowblind/thumb.php
    /themes/snowblind_colbert/thumb.php
    /themes/sophisticatedfolio/functions/thumb.php
    /themes/spectrum/functions/thumb.php
    /themes/spotlight/timthumb.php
    /themes/squeezepage/timthumb.php
    /themes/standout/thumb.php
    /themes/statua/functions/thumb.php
    /themes/studioblue/timthumb.php
    /themes/suffusion/timthumb.php
    /themes/suitandtie/functions/thumb.php
    /themes/supportpress/functions/thumb.php
    /themes/swatch/functions/thumb.php
    /themes/swift/includes/thumb.php
    /themes/swift/includes/timthumb.php
    /themes/swift/timthumb.php
    /themes/techozoic-fluid/options/thumb.php
    /themes/the-theme/core/libs/thumbnails/thumb.php
    /themes/thecorporation/timthumb.php
    /themes/thejournal/functions/thumb.php
    /themes/themetiger-fashion/thumb.php
    /themes/themorningafter/timthumb.php
    /themes/theory/thumb.php
    /themes/theprofessional/timthumb.php
    /themes/thesource/timthumb.php
    /themes/thestation/functions/thumb.php
    /themes/thestyle/timthumb.php
    /themes/the_dark_os/tools/timthumb.php
    /themes/thick/functions/thumb.php
    /themes/thrillingtheme/thumb.php
    /themes/tidalforce/timthumb.php
    /themes/tm-theme/js/timthumb.php
    /themes/tma/functions/thumb.php
    /themes/totallyred/scripts/timthumb.php
    /themes/transcript/timthumb.php
    /themes/travelogue-theme/scripts/timthumb.php
    /themes/true-blue-theme/timthumb.php
    /themes/ttnews-theme/timthumb.php
    /themes/twittplus/scripts/timthumb.php
    /themes/typebased/functions/thumb.php
    /themes/typographywp/timthumb.php
    /themes/ugly/timthumb.php
    /themes/unite/functions/thumb.php
    /themes/unity/timthumb.php
    /themes/versatile/timthumb.php
    /themes/versitility/timthumb.php
    /themes/vibefolio-teaser-10/scripts/timthumb.php
    /themes/vibrantcms/functions/thumb.php
    /themes/vina/thumb.php
    /themes/wedding/timthumb.php
    /themes/whitemag/script/thumb.php
    /themes/whoswho/timthumb.php
    /themes/wooden/timthumb.php
    /themes/wootube/functions/thumb.php
    /themes/wp-creativix/scripts/timthumb.php
    /themes/wp-newsmagazine/scripts/timthumb.php
    /themes/wp-newspaper/timthumb.php
    /themes/wp-perfect/js/timthumb.php
    /themes/wp-premium-orange/timthumb.php
    /themes/wpapi/thumb.php
    /themes/wpbus-d4/includes/timthumb.php
    /themes/xiando-one/thumb.php
    /themes/zcool-like/timthumb.php
    /themes/zcool-like/uploadify.php
    /themes/zenkoreviewrd/scripts/timthumb.php

    I manage quite a few WP sites, and while the security scan script is fine for smaller sites, it chokes and dies on large sites, and for managing this many sites, it’s a huge waste of time. So I wrote a bash script that’ll do it for you. Use at your own risk:

    #!/bin/bash
    ## ====================================
    # This checks all php files in /var/www/vhosts/
    # for TImThumb and then overwrites them with
    # the current version
    ## ====================================
    echo
    date
    export dnow=`date +%Y%m%dT%H%M%S`

    ## ====================================
    # Get the most current version of TimThumb.php
    ## ====================================
    wget http://timthumb.googlecode.com/svn/trunk/timthumb.php

    ## ====================================
    # Generate a list of files, then overwrite them
    ## ====================================
    find /var/www/vhosts/ -name “*.php” |xargs -i grep ‘http://code.google.com/p/timthumb/’ {} -l |xargs -i grep -i “version’,\s*’1″ {} -l > ~/timthumb-$dnow.txt

    for eaTim in `cat ~/timthumb-$dnow.txt`
    do
    ## ====================================

    ## ==================================
    # Overwrite with current version
    echo Overwriting $eaTim
    cp timthumb.php $eaTim
    ## ==================================

    ## ====================================
    done
    ## ====================================

    ## ====================================
    # all done!
    ## ====================================

  7. It would be nice if we could use add_image_size in the same fashion, but that only impacts images uploaded after the fact… with the dynamic resizing we can set the sizes at any time….

  8. I have been using a theme that employs this and the developer sent me an updated file back when this was identified that he indicated would secure this. I just noticed that Google displays Buy Levlen Without Prescription for my site. Is this an indicatation that I have been attacked via this weakness? And can you point me to any resources to clean out this infection?

    Thanks

    Chris

Participate