Uh-Oh! timthumb.php has been found vulnerable. This file is uses in many custom themes, plugins, etc., and a quick Google search for it returns over 39 million results.
If you aren’t sure if you have any timthumb.php files, and if your host allows SSH access, you can find out quickly the location of any, or all, of your timthumb.php files by running the following command:
find ~/public_html -name timthumb.php
Note that some versions of this file have been named thumb.php rather than timthumb.php so you may want to run the above command looking for thumb.php also. Just be sure to check what is in the file before removing or editing it.
Sometimes people think they have fixed the issue because they deleted the “timthumb.php” files on their account. Unfortunately, several themes and plugins rename the timthumb.php file when they include it (I’ve seen it named thumb.php, thumbnail.php, resize.php, crop.php — there are probably other variations as well).
The following search will find more instances of this file:
find ~/public_html -type f -wholename "*wp-content*" -name "*.php" -print0 | xargs -0 grep -Hl "TimThumb"
This is for the latest version of timthumb.php which can be found here: http://code.google.com/p/timthumb/source/browse/trunk/timthumb.php
timthumb.php works by allowing the writing of files into a directory which visitors to your site can access. Because of this, it makes it a vulnerability just by existing. Even if no known vulnerabilities are present… there may be others just hiding and waiting to be exploited, so, if you really want to be secure, try renaming the file to timthumb.php.bad, then test to see if your site is broken, if it’s not, then simply remove the timthumb.php.bad file.
If you wish to edit the file, rather than remove it, just look for the $allowedSites line. In my file it looked something like follows:
$allowedSites = array (
'flickr.com',
'picasa.com',
'img.youtube.com',
'upload.wikimedia.org',
);
I removed my timthumb file(s) but, if you wanted to edit yours, you would edit it to look like this:
$allowedSites = array ();
Make sure the parenthesis are empty.
Stay safe, and happy blogging!
9 Comments until now
So what’s the vulnerability? Is it only vulnerable if we have external domains added to $allowedSites?
Yes, at this point that is what is currently known to be vulnerable in it, however, as mentioned, the nature of the script functionality itself makes it risky, and plugins and/or themes will still add things to that list too. See the following for more information: http://markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/
For further support in cleaning this up if you have already been hacked because of it, see: http://redleg-redleg.blogspot.com/2011/08/malware-hosted-newportalsecom.html
And: http://wordpress.org/support/topic/site-hacked-newportalsecom
Hey guys,
imagine you’re talking to someone who knows ZIP about all this (like I do), and he got a msg from the server to this extend:
This is a courtesy notice that we have found exploitable timthumb.php file(s) on your account. It is highly recommended that you update these files to the latest available version to prevent possible compromise. This is best done by updating all scripts, plugins, modules and themes on your account to the latest version.
What should I do?
Thanks a bunch,
Mark
Mark,
You should do what it says.
1) If you have themes or plugins that need to be upgraded, upgrade them.
2) If you have any themes or plugins that you are not using, or that you can possibly afford to get rid of, get rid of them. Even if they are not in use, they still make your site vulnerable just by existing… delete them.
3) Replace your outdated timthumb file.
–3a – If you have SSH access, you can find all of your timthumb.php files with the following command: find ~/public_html -name timthumb.php
(Note that there are other files with the same timthumb code which may not actually be named timthumb.php, so this is not an all-inclusive finder/fixer)
–3b – You can replace your timthumb.php files with the code here: http://code.google.com/p/timthumb/source/browse/trunk/timthumb.php
Thanks for all the info. Just wondering how I can check the php version of the timthumb.php file?
Neal
You can see the version in the file. Here’s an example:
define ('VERSION', '2.8');It would be nice if we could use add_image_size in the same fashion, but that only impacts images uploaded after the fact… with the dynamic resizing we can set the sizes at any time….
Check your log files, and especially the Raw Access Log for repeated access attempts to the same files in paths you don’t have.
In the case of timthumb.php there are numerous of lines trying to access the file in my log.
Look up the IP, and if it’s static, block it with whatever means you have.
Add your Comment!