Uh-Oh! timthumb.php has been found vulnerable. This file is uses in many custom themes, plugins, etc., and a quick Google search for it returns over 39 million results.

If you aren’t sure if you have any timthumb.php files, and if your host allows SSH access, you can find out quickly the location of any, or all, of your timthumb.php files by running the following command:

find ~/public_html -name timthumb.php

Note that some versions of this file have been named thumb.php rather than timthumb.php so you may want to run the above command looking for thumb.php also. Just be sure to check what is in the file before removing or editing it.

Sometimes people think they have fixed the issue because they deleted the “timthumb.php” files on their account. Unfortunately, several themes and plugins rename the timthumb.php file when they include it (I’ve seen it named thumb.php, thumbnail.php, resize.php, crop.php — there are probably other variations as well).

The following search will find more instances of this file:

find ~/public_html -type f -wholename "*wp-content*" -name "*.php" -print0 | xargs -0 grep -Hl "TimThumb"

This is for the latest version of timthumb.php which can be found here: http://code.google.com/p/timthumb/source/browse/trunk/timthumb.php

timthumb.php works by allowing the writing of files into a directory which visitors to your site can access. Because of this, it makes it a vulnerability just by existing. Even if no known vulnerabilities are present… there may be others just hiding and waiting to be exploited, so, if you really want to be secure, try renaming the file to timthumb.php.bad, then test to see if your site is broken, if it’s not, then simply remove the timthumb.php.bad file.

If you wish to edit the file, rather than remove it, just look for the $allowedSites line. In my file it looked something like follows:

$allowedSites = array (
'flickr.com',
'picasa.com',
'img.youtube.com',
'upload.wikimedia.org',
);

I removed my timthumb file(s) but, if you wanted to edit yours, you would edit it to look like this:

$allowedSites = array ();

Make sure the parenthesis are empty.
Stay safe, and happy blogging!

Be Sociable, Share!