Timthumb Security Vulnerability – List of Themes

August 3, 2011David Dede

The Timthumb 0-day security vulnerability is generating a lot of noise and for good reason. If you have a theme that includes TimThumb, your site can be easily hacked.

Because of this, we checked the WordPress Free Themes Directory and aggregated a list of themes that include TimThumb.

If you use any of the following themes please check to see if the script is present, and make sure it is updated:

8q/scripts/timthumb.php
aerial/lib/timthumb.php
aesthete/timthumb.php
albizia/includes/timthumb.php
amphion-lite/script/timthumb.php
aqua-blue/includes/timthumb.php
aranovo/scripts/timthumb.php
arras/library/timthumb.php
arras-theme/library/timthumb.php
arthemix-bronze/scripts/timthumb.php
arthemix-green/scripts/timthumb.php
artisan/includes/timthumb.php
a-simple-business-theme/scripts/timthumb.php
a-supercms/timthumb.php
aureola/scripts/timthumb.php
aurorae/timthumb.php
autofashion/thumb.php
automotive-blog-theme/Quick Cash Auto/timthumb.php
automotive-blog-theme/timthumb.php
bikes/thumb.php
black_eve/timthumb.php
blex/scripts/timthumb.php
bloggnorge-a1/scripts/timthumb.php
blogified/timthumb.php
blue-corporate-hyve-theme/timthumb.php
bluemag/library/timthumb.php
blue-news/scripts/timthumb.php
bombax/includes/timthumb.php
breakingnewz/timthumb.php
brightsky/scripts/timthumb.php
brochure-melbourne/includes/timthumb.php
business-turnkey/assets/js/timthumb.php
calotropis/includes/timthumb.php
coffee-lite/thumb.php
comet/scripts/timthumb.php
conceditor-wp-strict/scripts/timthumb.php
constructor/layouts/thumb.php
constructor/libs/timthumb.php
constructor/timthumb.php
coverht-wp/scripts/timthumb.php
cover-wp/scripts/timthumb.php
dark-dream-media/timthumb.php
deep-blue/timthumb.php
delicate/thumb.php
diamond-ray/thumb.php
dieselclothings/thumb.php
digitalblue/thumb.php
dimenzion/timthumb.php
epione/script/timthumb.php
evr-green/scripts/timthumb.php
famous/megaframe/megapanel/inc/upload.php
famous/timthumb.php
fashion-style/thumb.php
featuring/timthumb.php
fliphoto/timthumb.php
flix/timthumb.php
fordreporter/scripts/thumb.php
freeside/thumb.php
fresh-blu/scripts/timthumb.php
go-green/modules/timthumb.php
granite-lite/scripts/timthumb.php
greydove/timthumb.php
greyzed/functions/efrog/lib/timthumb.php
gunungkidul/thumb.php
heartspotting-beta/thumb.php
heli-1-wordpress-theme/images/timthumb.php
ideatheme/timthumb.php
impressio/timthumb/timthumb.php
introvert/thumb.php
inuit-types/thumb.php
isotherm-news/thumb.php
iwana-v10/timthumb.php
jambo/thumb.php
jcblackone/thumb.php
kratalistic/thumb.php
life-style-free/thumb.php
likehacker/timthumb.php
litepress/scripts/timthumb.php
loganpress-premium-theme-1/thumb.php
magazine-basic/thumb.php
magup/timthumb.php
make-money-online-theme-1/scripts/timthumb.php
make-money-online-theme-2/scripts/timthumb.php
make-money-online-theme-3/scripts/timthumb.php
make-money-online-theme-4/scripts/timthumb.php
make-money-online-theme/scripts/timthumb.php
meintest/layouts/thumb.php
mobilephonecomparision/thumb.php
moi-magazine/timthumb.php
my-heli/images/timthumb.php
mymag/timthumb.php
mystique/extensions/auto-thumb/timthumb.php
nash/theme-assets/php/timthumb.php
neofresh/timthumb.php
neo_wdl/includes/extensions/thumb.php
new-green-natural-living-ngnl/scripts/timthumb.php
newspress/thumb.php
pearlie/scripts/timthumb.php
pico/scripts/timthumb.php
postage-sydney/includes/timthumb.php
premium-violet/thumb.php
probluezine/timthumb.php
pronto/cjl/pronto/uploadify/check.php
pronto/cjl/pronto/uploadify/uploadify.php
r755/thumb.php
regal/timthumb.php
shaan/timthumb.php
shadow-block/thumb.php
shadow/timthumb.php
simple-but-great/timthumb.php
simplenews_premium/scripts/timthumb.php
simple-red-theme/timthumb.php
simple-tabloid/thumb.php
simplewhite/timthumb.php
slidette/timThumb/timthumb.php
snowblind_colbert/thumb.php
snowblind/thumb.php
spotlight/timthumb.php
squeezepage/timthumb.php
standout/thumb.php
suffusion/timthumb.php
swift/includes/thumb.php
swift/includes/timthumb.php
swift/timthumb.php
techozoic-fluid/options/thumb.php
the_dark_os/tools/timthumb.php
themetiger-fashion/thumb.php
theory/thumb.php
the-theme/core/libs/thumbnails/thumb.php
thrillingtheme/thumb.php
tm-theme/js/timthumb.php
totallyred/scripts/timthumb.php
travelogue-theme/scripts/timthumb.php
true-blue-theme/timthumb.php
ttnews-theme/timthumb.php
twittplus/scripts/timthumb.php
typographywp/timthumb.php
ugly/timthumb.php
unity/timthumb.php
versitility/timthumb.php
vibefolio-teaser-10/scripts/timthumb.php
vina/thumb.php
whitemag/script/thumb.php
wpapi/thumb.php
wpbus-d4/includes/timthumb.php
wp-creativix/scripts/timthumb.php
wp-newsmagazine/scripts/timthumb.php
wp-perfect/js/timthumb.php
wp-premium-orange/timthumb.php
xiando-one/thumb.php
zcool-like/timthumb.php
zcool-like/uploadify.php

Caution: This is not a full list of every theme in the directory that may include TimThumb, just a good start. Even if your theme is not found on this list it is a good idea to do a thorough review for the script, and not a bad thought to contact the theme author.

Note: We only listed the free themes found in the WordPress Free Themes Directory SVN, there are probably many more themes that include TimThumb in the premium theme market. Make sure to check with your vendor to ensure the vulnerability has been fixed if they include the script.

Edit: Thanks to @ottodestruct for clarifying that not all of these themes are approved and/or available to the public via the WordPress Free Themes Directory. Although they are currently found in the theme repository, they are not all publicly available for download.

If you have any questions, let us know.

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Otto

Not all of these themes you have listed are approved and in the theme system. The SVN can contain unlisted themes as well.
- Andres Armeda
  
  Very good point Otto. The post has been edited to reflect so.
  
  Thanks as usual!
  
  Best,
  Dre
Pingback: WordPress: Themes die von der TimThumb-Sicherheitslücke betroffen sind | WordPress & Webwork()
Pingback: Anonymous()
Simon

whitepress uses also timthumb!
Pingback: TimThumb Security Vulnerability « Weblog Tools Collection()
BarryW

Suffusion is listed, and as a user of that I feel obligated to mention that timthumb was removed as of version 3.7.5 – the current version is 3.8.2
- Andres Armeda
  
  Hi Barry, thanks for the comment. According to the version scraped from the repository the file still exists in the theme. This is a good time for all theme authors to verify that everything in the repository is up to date and is reflecting properly.
  
  Thanks again for your comment.
  
  Dre
  - BarryW
    
    Hi Dre, Thanks for the quick reply. Based on your comment I scraped through the current release and the only mention of timthumb is in a comment in media.php. There is no timthumb.php or thumb.php present in version 3.8.2 – I’m not sure wahat the repository holds, if it’s old versions or what. But if it is an older version, then shame on the person that picks it up, the same as using an older version of WP or any other open source package. I’ll will try to make mention of this to the author on his support forum.
    
    Cheers,
    Barry
  - Sayontan
    
    As the author of Suffusion I feel obligated to point out that whatever
    methodology you used to determine your list of themes, it is plain
    wrong. TimThumb was removed from the theme about 6
    months back.
    
    You probably looked at http://themes.svn.wordpress.org/, then simply
    pulled up any themes that might have ever had
    TimThumb in it. If that is the case, you should amend your article above
    to change aggregated a list of themes that include
    TimThumb to something more appropriate. FYI, this is the list
    of all versions of the theme:
    http://themes.svn.wordpress.org/suffusion/. Take a look at the latest
    version (http://themes.svn.wordpress.org/suffusion/3.8.2/) or for that
    matter any version 3.7.4 onwards and let me know if you see the TimThumb script anywhere.
    
    Your scraper is probably doing things wrong if it reports the script being present in the latest versions. I can point out at least a few other themes that haven’t had TimThumb for a while now.
Pingback: Sicherheitslücke in Themes und Plugins | Planet Wordpress()
Michael Speier

Hi! Thanks for the list with Themes, but there is an Error: The Theme Calotropis from itx don’t use timthumb.php or it has an other name!

Greets from Germany and sorry for my bad english!

Mike, TmoWizard
Pingback: TimThumb – krytyczna luka w zabezpieczeniach | WebTuts()
Pingback: Sicherheitslücke in WordPress Blogs- Das Web für Frauen - vanvox.de()
Pingback: TimThumb Security Vulnerability Affects Many WordPress Themes and Plugins | Just Ask Kim()
Pingback: Domainpark 24 » Blog Archive » WordPress Lücke in Themes()
Pingback: HacKerS DElite » WordPress TimThumb Exploitation()
Pingback: TimThumb Security Vulnerability | Fublo Ltd blog()
Pingback: Falha de segurança no Timthumb - BDI BBS()
Pingback: Recent TimThumb Exploit and its Impact on You » Aquoid Themes()
Volker

I use ‘constructor’-theme on 1 site in version 1.57 and on another in 1.62, the latest.
Unfortunally, I can’t find a script named timthumb.php in my FTP.
And on the first look, the script thumb.php in constructor, mentioned in the list,
doesn’t resemble to timthumb.php !

??
cheers volker
- Anton Shevchuk
  
  Hi,
  I used timthumb in very old version of Constructor < 1.0.0
  Don't worry, your version is not has security vulnerability
- Anton Shevchuk
  
  File constructor/layouts/thumb.php it’s not a timthumb script
Anton Shevchuk

As the author of Constructor I feel obligated to mention that timthumb was removed as of version 1.0.0 – 15 month ago. The current version is 1.6.2.
Eddie

add PROSTO, from themeforest, to the list of vulnerable themes http://themeforest.net/item/prosto-business-portfolio-cms-wordpress-theme/
jehzlau

Oh great. So this is why some of my sites that uses timthumb redirects to an unknown page. O_O. Will update all my themes now with timthumb. 😀
crash >_

also…

monochrome/timthumb.php
Pingback: Sicherheitslücke in vielen Themes durch timthumb | helmomedia* MAGAZIN()
Jacques

ElegantThemes is/was using TT as well: http://www.elegantthemes.com/blog/theme-changesbug-fixes/timthumb-vulnerability-security-update
Pingback: Ventiao | El mundo cambia, todo cambia, entérate » Vulnerabilidad Zero Day en el Script TimThumb, presente en muchos temas de WordPress()
t4c

themes/androida-theme/androida/timthumb.php
http://www.web2feel.com/androida-theme/
Pingback: Cómo arreglar un wordpress hackeado por el TimThumb.php | Gadgetopost()
Pingback: Timthumb hack - how to recover | Third Culture Unleashed()
Pingback: TimThumb WordPress Security Vulnerability | WordPress Website Help and Development | Ask WP Girl | Angela Bowman - Boulder, Colorado()
Nat

Just a heads up but i found that WP-Mobile-Detector Plug in uses this.

None of my themes had it but I’ve used this plugin on a number of my themes and have now deleted it.
Nkni

Polished theme have the same vuln with 1.19
Pingback: Eric Romang Blog » WordPress TimThumb RFI Vulnerability used as Botnet Recruitment Vector()
Sam

leetpress also use the 1.14 version auf timtumb
Pingback: All about information from internet » Post Topic » WordPress TimThumb Exploitation()
Kau-Boy

and another 4 themes:

premiumnews/thumb.php
typebased/thumb.php
metamorphosis/thumb.php
mainstream/thumb.php
Pingback: WordPress TimThumb Exploitation | My Blog()
Parag

It would be nice if we could use add_image_size in the same fashion, but that only impacts images uploaded after the fact… with the dynamic resizing we can set the sizes at any time….
Chandra bose

Awesome logic behind! Thanks for sharing this with me!

WordPress templates
Alan Lupatini

I’m clean. =)
Pingback: [Segurança] Complemento do WordPress espalha malware()
Pingback: Complemento do WordPress espalha malware | iSuporte()
Pingback: Complemento do Wordpress espalha malware | Blog Seja Livre()
hackLover

Also ReporterBlog, how to fix it?
Pingback: TimThumb.php Sicherheits-Update()
otmn

http://codecanyon.net/item/slider-pro-wordpress-premium-slider-plugin defaults with timthumb but can be disabled.
Pingback: Server Hacked, I think I fixed it but not sure?()
Pingback: WordPress TimThumb Exploitation | NUZLAN Lynx()
Pingback: Explorando a vulnerabilidade de WordPress – TimThumb | Bootando…()
Pingback: WordPress TimThumb Exploitation | n0ths()
Poljane

Had lost 2 hours on this. Here is my sollution:

Server didn’t return the right DOCUMENT_ROOT, so in thumb.php I had to add

$_SERVER[“DOCUMENT_ROOT”] = ‘/domains/www/public_html’;

In my case I’ve looked for the DOCUMENT_ROOT with
echo getcwd();
Anyone

milkyway/functions/scripts/timthumb.php
Alex Booth

OptimizePress can be added to list
Pingback: TimThumb WordPress Security VulnerabilityJump Start Testing | Jump Start Testing()