Security Alert – Timthumb Vulnerability Fix is Available

Posted by on August 3, 2011 in Updates | 1 comment

Security Alert – Timthumb Vulnerability Fix is Available

Many WordPress themes have used a popular image script named Timthumb. The script is used by a large volume of sites and is extremely popular within the WordPress community. The popularity raises out of the benefit that users do not have to manually resize images, instead, simply upload them, and the script will automatically resize and create thumbnails, etc. as needed by the WordPress them driving your site.

A vulnerability in some versions of the script Zero day vulnerability that gives remote attacker shell access was isolated. This vulnerability may also exist in your theme (depending on when you last updated or created it). While the creator of Timthumb has provided a fix, it is highly recommended that you update all of your themes to ones no longer using the Timthumb script (timthumb.php) which helps keep you safe from the security hole.

The announced vulnerability allows a third party to attack your site, by uploading and running PHP code from the Timthumb cache directory. Once the PHP code has been uploaded and run, your site can be compromised by the attacker.

Regardless of when you last updated your theme, I would strongly, at the very least, suggest that you upgrade the Timthumb script to the latest version. To update the script, delete the file, and upload the new version.

Note to my clients:

For all of you  who host their WordPress site with me, I’ve already updated the timthumb.php file used by your current WordPress theme, at no additional cost! Our Kung Fu is strong… :)  Have a great day!

All new WordPress themes we provide or create will require that your thumbnail images be hosted on the same domain name where WordPress is installed. If you were previously using timthumb.php to allow external image source by editing the $allowedSites array in that script, then the existing thumbnails will no longer display.

You can download the latest source code for the timthumb.php script at: http://timthumb.googlecode.com/svn/trunk/timthumb.php. Or, you can edit your current timthumb.php file to remove the external source functionality (which is the cause of the vulnerability). But… It’s better to simply update the script with the new version.

Word to the wise… Always keep WordPress core, themes and plugins updated! This helps protect your site from vulnerabilities.

Roger Wheatley, Freelancer, has extensive experience in the Blogging, Web and Social Media. He provides clients with the highest level of service. Among other services, he keeps abreast of new and upcoming Social Media trends and benefits, so you can focus on operating your business. If you'd like to know more, feel free to use the easy contact form or read

1 Comment

  1. Peter September 6, 2011 at 12:19

    I had a number of clients who werent comfortable with the process of finding/updating timthumb manually, so I put together a plugin that will scan/update your wp-content directory easily – hopefully that can help people whose web guys aren’t as great as you:)

    Here’s the plugin:
    http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/

Leave a Comment

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>