Aug 2, 2011 Legacy

Security Tip: Timthumb.php

We’d like to make sure you all know about a serious vulnerability that was recently discovered in a popular image re-sizing tool called “timthumb.php”. This affects many WordPress themes and other PHP-driven websites. Read on for technical details and quick instructions on how to keep your sites secure.

Who might be affected?

  • Anyone with a PHP-driven website which is running timthumb.php.
  • Many WordPress themes utilize timthumb.php by default.
  • This is not unique to a single web hosting provider.

What does timthumb.php do?

Many developers use “timthumb.php” to resize images to fit their website.  It also allows you to pull images from external sites, which is very cool, but there’s a catch…  The same feature may allow attackers to upload malicious scripts. In a worst-case, this could result in file corruption or even data loss.

Can you give me an example?

You can use timthumb to pull an image directly from your Flickr account and re-size it for your blog.  Neat, huh?  But, malicious users may also use it to pull scripts from “flickr.com.evilhackersite.com” or another malicious location.  Once the attackers gain access, your site and data will be wide open to a variety of malicious activities.

If you’d like more info, there’s a pretty great write-up here:
http://mdtm.pl/timthumb-info

Note: Timthumb.php is included in many WordPress themes but this is not a WordPress issue.  It can be used on just about any kind of PHP-driven site.

How can I stay secure?

To start, if you’re using timthumb.php, you’ll want to make sure you have the latest version. In general, it’s very important that you keep all third-party software up-to-date.  Having said that, since the developers of timthumb.php have yet to patch the vulnerability, you’ll probably want to discontinue using it altogether until an update is available. We’ll post here again when a solution is available.

In addition, it’s strongly recommended that you change all WordPress or other CMS passwords and credentials, as they may have already been exposed to attackers.  You’ll also want to familiarize yourself with how to keep your website secure against the bad guys. A great resource for this is the Google Webmaster Central Blog.

Hopefully this information will help you address this issue before it affects your sites.  Stay tuned for more security-related posts from (mt).  As always, feel free to contact us at any time with questions or feedback.

About the Author More by this Author