TimThumb Zero Day Vulnerability Affects Hundreds of WordPress Themes
The WordPress community has been going frantic this morning after it was discovered that there is a security vulnerability in the popular TimThumb script that is used for resizing images. The security hole gives intruders access to the server hosting the script. A number of people have already found themselves to be hacked, including the original developer of the script.
The issue was discussed last night in the IRC Development Chat with an early decision being made that all themes using the script should be suspended and that a patch should be pushed out (update: this hasn’t been agreed by the theme review team yet). In fact, the trunk version of the script has already been updated to fix the problem. This raises all sorts of questions about what sort of scripts will be allowed in the theme directory in the future.
How Does This Affect Me?
If you are using timthumb in your theme or plugin then update it. Grab the latest version from the trunk and paste in the code to replace the insecure version. It is as simple as that.
Timthumb is a very, very popular script and so it is worth checking to see if you are using it in your theme. If you are resizing a lot of images as thumbnails then it’s quite possible that it is being used. Of course, these days WordPress can do this itself but TimThumb does increase flexibility.
To find out if you are using TimThumb go to Appearance > Editor and look for a theme file called timthumb.php or thumb.php.
Copy the code from the updated trunk and paste it into the text editor. Save!
Known Theme Shops Using TimThumb
There are a number of major theme shops using TimThumb. Here are their responses:
- Woo Themes – update your theme or the code in thumb.php
- Templatic – thumb.php script does not use $allowedSites so not affected
- Elegant Themes – update to latest version
- Theme Shift – update theme or change code to latest version of timthumb
- Theme Lab – 3 themes using timthumb. Fix provided at link
Remember, if you are using a theme from a theme marketplace such as Mojo Themes or Theme Forest then it is the responsiblity of the individual developer to push out an update. Or you can just fix it yourself.
Know of any more? Let us know so WPMU.org readers are aware. Just to be clear though – it’s not a bad thing to be using TimThumb so please don’t take this out on theme developers or the developer of TimThumb. It’s a great script that many theme developers have been making money off it and improving their sites for years. In fact, older version of timthumb didn’t have this problem. Just spread the world so that everyone can update to the latest version and we can secure our sites.
(header image CC license from Don Hankins)