Sucuri Blog

Website Security News

Main navigation

Timthumb.php Security Vulnerability – Just the Tip of the Iceberg

There has been some buzz about a zero day vulnerability found in Timthumb.php that can allow for arbitrary file uploads. Although this is a platform independent issue, it is specially an issue on WordPress where a lot of theme authors choose to include scripts in themes without any extra security measures.

You can read more details about the TimThumb issue here: markmaunder.com

This is definitely an issue, but it’s just the tip of the iceberg. TimThumb is just one of various scripts that are being added to themes/plugins without further vetting, or even incorrectly. Take Uploadify for example, which we’ve recently seen being exploited in very old versions of a popular WordPress theme.

Another issue is inexperience, well, along with laziness in some cases. WordPress has built in a lot of great capabilities that aren’t being properly leveraged. For example, if theme/plugin authors were properly leveraging add_image_size vs. adding TimThumb they would be in a safer position today.

Unfortunately this is not an easy problem to tackle. WordPress core has a great review and vetting process, it is very controlled for good reason. The problem here is really around plugins and themes, it’s not as simple as you may think to check every release being there are thousands of free and premium options on the market today.

Minimize Your Risk

Here are a few things that if put into practice, will help you minimize the risk of getting exploited:

  1. Keep your themes and plugins updated – #1 cause of malware infections and hacks independent of any platform!
  2. Only download from reputable sources (WordPress.org).
  3. Only use plugins and themes that are being actively developed and have good, trusted reviews. Do your homework
  4. Keep an eye on WordPress security news to see if there are any issues with the plugins or themes you are using.
  5. Don’t just disable, remove any software that you’re not actively using. Just because it’s not active doesn’t mean it’s not vulnerable

Sucuri WordPress Check

Here is a script we created to enable you to check for some of the issues we’ve outlined above – Sucuri WP Check

How to Use

  1. Save script to your local machine by right clicking the link above and save link as
  2. Login to your site via sFTP or FTP (We recommend sFTP/SSH)
  3. Upload the script to your root WordPress directory
  4. Rename sucuri_wp_check.txt to sucuri_wp_check.php
  5. Run the script via browser of choice – yourdomain.com/sucuri_wp_check.php – Make sure you change the URL path to your domain and wherever you uploaded the file
  6. Check the results

If you have any questions, let us know, leave a comment below and we’ll try to reply as quickly as possible.

We no longer support comments on our blogs. If you’d like to continue the conversation, engage with us via Twitter at @sucurisecurity and @sucurilabs. If you have recommendations or questions that require more than 140 characters, please send us an email at info@sucuri.net.