Timthumb.php Security Vulnerability – Just the Tip of the Iceberg

August 2, 2011David Dede

There has been some buzz about a zero day vulnerability found in Timthumb.php that can allow for arbitrary file uploads. Although this is a platform independent issue, it is specially an issue on WordPress where a lot of theme authors choose to include scripts in themes without any extra security measures.

You can read more details about the TimThumb issue here: markmaunder.com

This is definitely an issue, but it’s just the tip of the iceberg. TimThumb is just one of various scripts that are being added to themes/plugins without further vetting, or even incorrectly. Take Uploadify for example, which we’ve recently seen being exploited in very old versions of a popular WordPress theme.

Another issue is inexperience, well, along with laziness in some cases. WordPress has built in a lot of great capabilities that aren’t being properly leveraged. For example, if theme/plugin authors were properly leveraging add_image_size vs. adding TimThumb they would be in a safer position today.

Unfortunately this is not an easy problem to tackle. WordPress core has a great review and vetting process, it is very controlled for good reason. The problem here is really around plugins and themes, it’s not as simple as you may think to check every release being there are thousands of free and premium options on the market today.

Minimize Your Risk

Here are a few things that if put into practice, will help you minimize the risk of getting exploited:

Keep your themes and plugins updated – #1 cause of malware infections and hacks independent of any platform!
Only download from reputable sources (WordPress.org).
Only use plugins and themes that are being actively developed and have good, trusted reviews. Do your homework
Keep an eye on WordPress security news to see if there are any issues with the plugins or themes you are using.
Don’t just disable, remove any software that you’re not actively using. Just because it’s not active doesn’t mean it’s not vulnerable

Sucuri WordPress Check

Here is a script we created to enable you to check for some of the issues we’ve outlined above – Sucuri WP Check

How to Use

Save script to your local machine by right clicking the link above and save link as
Login to your site via sFTP or FTP (We recommend sFTP/SSH)
Upload the script to your root WordPress directory
Rename sucuri_wp_check.txt to sucuri_wp_check.php
Run the script via browser of choice – yourdomain.com/sucuri_wp_check.php – Make sure you change the URL path to your domain and wherever you uploaded the file
Check the results

If you have any questions, let us know, leave a comment below and we’ll try to reply as quickly as possible.

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Maxim Weinstein

This is the same pattern that we previously saw with web browsers. First, the browsers themselves were exploited. Once the browser vendors stepped up their security efforts, cybercriminals went after third party apps and plugins, like Adobe Reader, Flash Player, and JAVA.

It’s going to be a challenge—and an important one to tackle head on—for the WordPress community to figure out how to better manage security of plugins.
- Andres Armeda
  
  You’re absolutely spot on Maxim!
  
  Nothing of this size, or capacity will ever be easy to manage. It’s a continual process that needs constant attention.
Pingback: TimThumb security vulnerability discovered, affects many WordPress themes | WPCandy()
Macattak1

How do I actually run a script via FF that I have uploaded? Never done it. Not a coding or prgraming guy.
Thanks much.
Peace and Blessings
- Andres Armeda
  
  Hi there.
  
  Once you’ve uploaded the script, you can run it by typing in its address in the browser.
  
  Example – yourdomain.com/sucuri_wp_check.php
  
  Hope this helps.
  
  Dre
  - Macattak1
    
    Yea. I finally figured it out. Thanks though!
    I was actually, believe it or not, able to run it as a .txt.
    
    Ran as ftp://xxx@ftp.timlist.net/xxx/ebooks/ccp/sucuri_wp_check.txt
    
    And it returned this:
    Checking your WordPress install…
    By Sucuri.net – Questions? Contact support@sucuri.net
    “;
    
    $issues = scanallfiles($dir);
    
    echo ”
    “; if($issues == 0) { echo ”
    No issues found. Completed.
    n”; } ?>
    
    I also re-read the directions and relized I did not set it as .php. Doh!
    Then that worked much easier with .php.
    
    Peace and Blessings
  - Billig Hjemmeside
    
    Thanks a lot. I had a friend with some wp issues. His site was hacked twice this year. I ran the sucuri_wp_check.php but it was clean. I couldn’t find a resolution but after I ran WP Security Scan Plugin I fixed some vulnerabilities. The site is up since 2 months so I cross my fingers.
Macattak1

For example. I put in my link… with .txt and that file shows up. But running it with .php simply fails and offers to search the WP site?

http://www.timlist.net/ebooks/ccp/ is my address.

Also, for you WP experts. With my url, WP is installed under /CCP. I am making an ebook site to sell my just recently deceased fathers ebooks he created in the last two years. But lets say I want to do my own books as well. Should I have installed WP into /ebooks or something instead? To avoid multiple WP installs? Or do I want to use multiple WP installs?

Say I ended up with 20 authors selling on my site? What would be the intellegent way to do this via WP installs? Thanks much. If the latter is an inapropriate question for this site, blog, etc. I applogize.

Thanks much
Peace and Blessings
Pingback: How to Fix TimThumb.php WordPress Theme Security Flaw | Wordpress Multisite Blogs Help Tips | Behind the Scenes()
kchez

Your script found two instances of: “Found PHP file inside image directory” of a plugin I use.
What actions should I take?
Thanks.
Doug B.

The one thing timthumb does that WordPress doesn’t do on its own is the ability to pull external images to then turn into thumb nails and etc…

I was thinking of using it for that very reason since I host all my images on photobucket because I don’t want image leeches to steal my bandwidth on my blog host.

I love the media handling of WordPress but since it doesn’t work on external images then simply turning off that function on timthumb makes the script pointless for me. YMMV.
- Andrew Wells Douglass
  
  I’m interested in your point about limiting leeching of your bandwidth for image delivery. Would a direct block on hotlinking work as well?
Pingback: Zero Day Attack and timthumb.php... What does it mean? | WordPress Training Videos()
Pingback: TimThumb Updated To Version 2()
Pingback: TimThumb security vulnerability discovered: Affects many WordPress themes | TechBlog Central()
Lancelot Brown

Hi ,Should I delete the sucuri_wp_check.txt after I have used it.
THANKS.
Fernando Botti

Very interesting
Karen

Thank you for this great info, and for your sucuri_wp_check.php script that helps me sleep better at night! 🙂
Marijuana Report

Hi I got this error when I ran the php script. Not a developer by any means, first time Ive been attacked like this. Is there something a guy like me can do to fix this? Any help is greatly appreciated.

Checking your WordPress install…
By Sucuri.net – Questions?
Contact support@sucuri.net
Warning: Found suspicious file (timthumb or uploadify): ./wp-content/plugins/logo-management/includes/timthumb.php
Warning: Found suspicious file (timthumb or uploadify): ./wp-content/themes/premiumnews/thumb.php
Pingback: TimThumb, Heroism and FUD()
Pingback: Off to the Host and Hacked ‹ Anthony G. Cyphers – Software Developer()
Pingback: El site del magazine Hakin9 ha sido hackeado | Hispabyte()
Pingback: WordPress Vulnerability in “TimThumb” theme script | Ari Salomon: Art and Design()
Rein

Thanks for writing this blogpost and creating the security check!
Pingback: Delete malware warning counter-wordpress.com | Rein Aris – Blog()
Lisa Lubin

I ran your script and it shows 2 issues with timthumb on 2 other sites i have. BUT doesn’t say anything about the site I have that was blocked by Google. The offending page that apparently was attacked is now clean (without my doing). What can I do next?? thanks!
Pingback: eBabble » Compromised By TimThumb()
Pingback: Another Victim Of The ThumbTim.php Exploit | Simple Industries, Inc.()
Pingback: Update TimThumb Code To Avoid Security Risk | Brain Contour()
voltagenewmedia

Interesting, I used the Securi check and it says im all good…I never updated my thumb.php though. Hurmm….
JasonFonceca

Thank you soooo much for this information and scanning script. What a blessing to everyone going through this, and a help to the net on the whole.
Pingback: Hackers are the Asses of Evil - Blogging4Jobs HR, Recruiter, Social Media, Job Search Blogging4Jobs()
wolfusvi

I ran your sucuri_wp_check.php script and got a clean bill of health. Thanks!

Based on the huge number of “bad link” email messages that have shown up in my inbox, someone is farming different themes on my site looking for the timthumb.php script.
Pingback: The Great Hack Of 2011 | Collective Bias | Blog()
Pingback: WordPress blog hacked | Sonia Marsh - Gutsy Living()
Pingback: Resizing and manipulating Images using TimThumb()
Pingback: Timthumb transparency problems (.png & .gif have solid backgrounds)Ministry Web Design()
Pingback: My website was hacked – yours could be too! You won’t know until it’s too late | Alex's Blog()
Ansateza

Hi. I found that one my old and unupdated plugin (kc-related-posts-by-category) have tumthumb.php there. I deleted it before few days when i released that have some iframes injected in my blog. Its now worthy to check and if yes does this script is still functional?
Pingback: Timthumb.php Security Vulnerability – Just the Tip of the ...()
Pingback: How to do bulk Find and Replace in files using PHP | Nadeesha Cabral Blogs()
Pingback: Timthumb.php Security Vulnerability – Just the Tip of the ...()
Pingback: Raw Access Log and Its Value()
Henrik Flensborg

Is the vulnerabilities that this script checks for included in the checks made by the Sucuri SiteCheck Malware Scanner plugin for WP or would both be needed to cover all bases?
Pingback: Eliminate Unused WordPress Plugins — Technosailor.com()
Pingback: Review of the WordFence Plugin – Effective or Not? - PerezBox()
Pingback: » WordPress Uploadify Vulnerability - Roger's Information Security Blog()
Pingback: Does not remove the WordPress Plugin | .()
Pingback: Is this Abject enough? | Abject()
Pingback: 14 เทคนิคในการป้องกันเว็บไซต์เวิร์ดเพรสของคุณ ปลั๊กอินเดียว เอาอยู่ๆๆๆ | WordPress Thai Dev()