Timthumb raises its ugly head, once again

A new vulnerability has been announced in TimThumb, a library that many WordPress sites use to manipulate and display images. This vulnerability makes sites with a particular configuration of TimThumb vulnerable to arbitrary code execution attacks. These attacks are pretty serious, allowing the attacker to force your server to run any command they like. Usually, it’s not much work for an attacker to use an arbitrary code execution to gain complete control of the vulnerable server or network.

If this feels familiar, it should. A very similar vulnerability was found in TimThumb in 2011. That one was much more serious, because pretty much all sites using TimThumb were vulnerable. This time not so many people will be affected, because you have to have the plugin in a specific, non-default configuration to be vulnerable.

That said: if you have a WordPress website that uses TimThumb, you should immediately check to see if you’re vulnerable. If you’re a customer of ours, you can rest easy: we’ve had a look, and although some of our customers are using this library, none have the vulnerable configuration enabled.

The vulnerability report only lists version 2.8.13 as vulnerable. According to Michael VanDeMar (thanks!), this feature goes back to at least TimThumb 2.4, making it likely that almost all versions in use today are vulnerable. Unfortunately, an updated version of TimThumb is not yet available, so if you are vulnerable, you’ve got to get into the source code to sort it out.

What should I do now?

Because some themes rename TimThumb files, you’re not necessarily in the clear if you can’t find a file called timthumb.php. To check if you’re vulnerable, search through all your project’s files for WEBSHOT_ENABLED. If you can’t find that text anywhere in your site’s wp-content directory, you’re almost certainly in the clear.

If you do find it, it could show up anywhere. But most likely, you’ll find this line in timthumb.php:

if(! defined('WEBSHOT_ENABLED') )  define ('WEBSHOT_ENABLED', false);  // Beta feature. [snip]

If, as in this example, every mention of WEBSHOT_ENABLED defines it as false, you’re in the clear. If, however, you find this anywhere:

define ('WEBSHOT_ENABLED', true);

Then you are probably running with the vulnerable feature enabled.

How do I fix it?

The solution is to disable the feature, by setting it back to false:

define ('WEBSHOT_ENABLED', false);

Finding every place where this is set to true and changing it to false will probably be enough to make you safe, but if you’re unsure, you should ask a developer to do this for you.

Alternatively, you could switch to a theme that doesn’t have TimThumb (or doesn’t enable this feature).

However, if you are vulnerable, it’s also possible that you’ve already been exploited. So, unless you are sufficiently technical to fix and investigate this yourself, it’s probably best to find a developer to help you out.

PS: Many thanks to Michael VanDeMar for pointing out a problem with the original post – it’s been updated now.