Yesterday, Mark Maunder at markmaunder.com happened to run across and identify a very dangerous and clever hack on his site. The hacker had gained access through the very popular TimThumb image library, and thus the first TimThumb Exploit was found. If you are interested in the specifics of the hack, more detailed information can be found at his website linked above.

0 Day Vulnerability in Many WordPress Themes: The TimThumb Exploit

Luckily, and more importantly he managed to pinpoint the issue and identify a very new vulnerability in many WordPress installations. It is estimated that this issue could affect hundreds of thousands of WordPress installs.

Unfortunately, because this TimThumb library is included in themes and plugins and not in the core WordPress installation, the TimThumb exploit is not easily patched. We are unable to mass-patch this issue using our automated application installer because of this very problem.

Although premium theme creators will no doubt release updates to their themes that fix the TimThumb Exploit, it may take some time for these updates to come out. It is also likely that free themes or outdated plugins may never get an update to this problem. As such, it is a very good idea to check your site and look for this vulnerability and fix it as soon as possible.

If you currently have our Platinum Managed web hosting add-on, dont’ worry! We’ve already patched those who were vulnerable.

So how do I know if I’m at risk?

Almost everyone using the TimThumb library that downloaded it before August 1, 2011 is likely at risk. If you are not sure if you are using TimThumb, the easiest way to check is to look through your theme folders for a file called timthumb.php or thumb.php. This can be done using an FTP program or the file browser in your Plesk Control Panel.

This file may also be called thumb.php. It could be in any theme folder, not just necessarily your active theme. Also, it’s possible it is in your plugins folders as well so be sure to look thoroughly.

Oh great, it’s there. Now what?

The quickest way to fix the TimThumb exploit is by editing your timthumb.php or thumb.php files and finding the following lines:

$allowedSites = array (
‘flickr.com’,
‘picasa.com’,
‘blogger.com’,
‘wordpress.com’,
‘img.youtube.com’,
‘upload.wikimedia.org’,
);

The issue with this vulnerability is due to the way the script handles these remote sites being allowed to inject images. The issue can be fixed by simply removing the websites displayed in the $allowedSites array. After you remove them it should look like this:

$allowedSites = array (
);

An empty array.

Update:

Fortunately, because of the quick find by Mark Maunder, the team at TimThumb already has a patch in place. All you need to do is download the following file and replace your existing file with it:

Download: http://timthumb.googlecode.com/svn/trunk/timthumb.php

If your local file is called thumb.php, simply rename the new file to thumb.php before uploading.

That’s all there is to it. If this process is beyond you, or you just want to make sure that you fixed the issue completely feel free to open a support ticket through our client admin area, or find us on twitter @websavers.

About Adam Bate

Adam is a former owner of Websavers Inc. He departed in 2014 to focus his time entirely on blogging and online marketing. Adam currently works for a Clagary and Edmonton based web marketing agency.

Leave a Comment