• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Timthumb.php Security Vulnerability – Just the Tip of the Iceberg

August 2, 2011David Dede

FacebookTwitterSubscribe

There has been some buzz about a zero day vulnerability found in Timthumb.php that can allow for arbitrary file uploads. Although this is a platform independent issue, it is specially an issue on WordPress where a lot of theme authors choose to include scripts in themes without any extra security measures.

You can read more details about the TimThumb issue here: markmaunder.com

This is definitely an issue, but it’s just the tip of the iceberg. TimThumb is just one of various scripts that are being added to themes/plugins without further vetting, or even incorrectly. Take Uploadify for example, which we’ve recently seen being exploited in very old versions of a popular WordPress theme.

Another issue is inexperience, well, along with laziness in some cases. WordPress has built in a lot of great capabilities that aren’t being properly leveraged. For example, if theme/plugin authors were properly leveraging add_image_size vs. adding TimThumb they would be in a safer position today.

Unfortunately this is not an easy problem to tackle. WordPress core has a great review and vetting process, it is very controlled for good reason. The problem here is really around plugins and themes, it’s not as simple as you may think to check every release being there are thousands of free and premium options on the market today.

Minimize Your Risk

Here are a few things that if put into practice, will help you minimize the risk of getting exploited:

  1. Keep your themes and plugins updated – #1 cause of malware infections and hacks independent of any platform!
  2. Only download from reputable sources (WordPress.org).
  3. Only use plugins and themes that are being actively developed and have good, trusted reviews. Do your homework
  4. Keep an eye on WordPress security news to see if there are any issues with the plugins or themes you are using.
  5. Don’t just disable, remove any software that you’re not actively using. Just because it’s not active doesn’t mean it’s not vulnerable

Sucuri WordPress Check

Here is a script we created to enable you to check for some of the issues we’ve outlined above – Sucuri WP Check

How to Use

  1. Save script to your local machine by right clicking the link above and save link as
  2. Login to your site via sFTP or FTP (We recommend sFTP/SSH)
  3. Upload the script to your root WordPress directory
  4. Rename sucuri_wp_check.txt to sucuri_wp_check.php
  5. Run the script via browser of choice – yourdomain.com/sucuri_wp_check.php – Make sure you change the URL path to your domain and wherever you uploaded the file
  6. Check the results

If you have any questions, let us know, leave a comment below and we’ll try to reply as quickly as possible.

FacebookTwitterSubscribe

Categories: Vulnerability Disclosure, WordPress SecurityTags: Sucuri WordPress Plugin, Website Backdoor

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Reader Interactions

Comments

  1. Maxim Weinstein

    August 3, 2011

    This is the same pattern that we previously saw with web browsers. First, the browsers themselves were exploited. Once the browser vendors stepped up their security efforts, cybercriminals went after third party apps and plugins, like Adobe Reader, Flash Player, and JAVA.

    It’s going to be a challenge—and an important one to tackle head on—for the WordPress community to figure out how to better manage security of plugins.

    • Andres Armeda

      August 3, 2011

      You’re absolutely spot on Maxim!

      Nothing of this size, or capacity will ever be easy to manage. It’s a continual process that needs constant attention.

  2. Macattak1

    August 3, 2011

    How do I actually run a script via FF that I have uploaded? Never done it. Not a coding or prgraming guy.
    Thanks much.
    Peace and Blessings

    • Andres Armeda

      August 3, 2011

      Hi there.

      Once you’ve uploaded the script, you can run it by typing in its address in the browser.

      Example – yourdomain.com/sucuri_wp_check.php

      Hope this helps.

      Dre

      • Macattak1

        August 3, 2011

        Yea. I finally figured it out. Thanks though!
        I was actually, believe it or not, able to run it as a .txt.

        Ran as ftp://xxx@ftp.timlist.net/xxx/ebooks/ccp/sucuri_wp_check.txt

        And it returned this:
        Checking your WordPress install…
        By Sucuri.net – Questions? Contact support@sucuri.net
        “;

        $issues = scanallfiles($dir);

        echo ”
        “; if($issues == 0) { echo ”
        No issues found. Completed.
        n”; } ?>

        I also re-read the directions and relized I did not set it as .php. Doh!
        Then that worked much easier with .php.

        Peace and Blessings

      • Billig Hjemmeside

        December 26, 2011

        Thanks a lot. I had a friend with some wp issues. His site was hacked twice this year. I ran the sucuri_wp_check.php but it was clean. I couldn’t find a resolution but after I ran WP Security Scan Plugin I fixed some vulnerabilities. The site is up since 2 months so I cross my fingers.

  3. Macattak1

    August 3, 2011

    For example. I put in my link… with .txt and that file shows up. But running it with .php simply fails and offers to search the WP site?

    http://www.timlist.net/ebooks/ccp/ is my address. 

    Also, for you WP experts. With my url, WP is installed under /CCP. I am making an ebook site to sell my just recently deceased fathers ebooks he created in  the last two years. But lets say I want to do my own books as well. Should I have installed WP into /ebooks or something instead? To avoid multiple WP installs? Or do I want to use multiple WP installs?

    Say I ended up with 20 authors selling on my site? What would be the intellegent way to do this via WP installs?  Thanks much. If the latter is an inapropriate question for this site, blog, etc. I applogize.

    Thanks much
    Peace and Blessings

  4. kchez

    August 5, 2011

    Your script found two instances of: “Found PHP file inside image directory” of a plugin I use.
    What actions should I take?
    Thanks.

  5. Doug B.

    August 5, 2011

    The one thing timthumb does that WordPress doesn’t do on its own is the ability to pull external images to then turn into thumb nails and etc…

    I was thinking of using it for that very reason since I host all my images on photobucket because I don’t want image leeches to steal my bandwidth on my blog host.

    I love the media handling of WordPress but since it doesn’t work on external images then simply turning off that function on timthumb makes the script pointless for me. YMMV.

    • Andrew Wells Douglass

      August 14, 2011

      I’m interested in your point about limiting leeching of your bandwidth for image delivery. Would a direct block on hotlinking work as well?

  6. Lancelot Brown

    August 9, 2011

    Hi ,Should I delete the sucuri_wp_check.txt  after I have used it.
    THANKS.

  7. Fernando Botti

    August 16, 2011

    Very interesting

  8. Karen

    August 17, 2011

    Thank you for this great info, and for your sucuri_wp_check.php script that helps me sleep better at night! 🙂

  9. Marijuana Report

    August 19, 2011

    Hi I got this error when I ran the php script. Not a developer by any means, first time Ive been attacked like this. Is there something a guy like me can do to fix this? Any help is greatly appreciated.

    Checking your WordPress install…
    By Sucuri.net – Questions?
    Contact support@sucuri.net
    Warning: Found suspicious file (timthumb or uploadify): ./wp-content/plugins/logo-management/includes/timthumb.php
    Warning: Found suspicious file (timthumb or uploadify): ./wp-content/themes/premiumnews/thumb.php

  10. Rein

    August 23, 2011

    Thanks for writing this blogpost and creating the security check!

  11. Lisa Lubin

    August 23, 2011

    I ran your script and it shows 2 issues with timthumb on 2 other sites i have. BUT doesn’t say anything about the site I have that was blocked by Google. The offending page that apparently was attacked is now clean (without my doing). What can I do next?? thanks!

  12. voltagenewmedia

    August 29, 2011

    Interesting, I used the Securi check and it says im all good…I never updated my thumb.php though. Hurmm….

  13. JasonFonceca

    August 31, 2011

    Thank you soooo much for this information and scanning script. What a blessing to everyone going through this, and a help to the net on the whole.

  14. wolfusvi

    September 15, 2011

    I ran your sucuri_wp_check.php script and got a clean bill of health.  Thanks!   

    Based on the huge number of “bad link” email messages that have shown up in my inbox, someone is farming different themes on my site looking for the timthumb.php script.   

  15. Ansateza

    January 19, 2012

    Hi. I found that one my old and unupdated plugin (kc-related-posts-by-category) have tumthumb.php there. I deleted it before few days when i released that have some iframes injected in my blog. Its now worthy to check and if yes does this script is still functional?

  16. Henrik Flensborg

    June 18, 2012

    Is the vulnerabilities that this script checks for included in the checks made by the Sucuri SiteCheck Malware Scanner plugin for WP or would both be needed to cover all bases?

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.