Timthumb raises its ugly head, once again

A new vulnerability has been announced in TimThumb, a library that many WordPress sites use to manipulate and display images. This vulnerability makes sites with a particular configuration of TimThumb vulnerable to arbitrary code execution attacks. These attacks are pretty serious, allowing the attacker to force your server to run any command they like. Usually, it’s not much work for an attacker to use an arbitrary code execution to gain complete control of the vulnerable server or network.

If this feels familiar, it should. A very similar vulnerability was found in TimThumb in 2011. That one was much more serious, because pretty much all sites using TimThumb were vulnerable. This time not so many people will be affected, because you have to have the plugin in a specific, non-default configuration to be vulnerable.

That said: if you have a WordPress website that uses TimThumb, you should immediately check to see if you’re vulnerable. If you’re a customer of ours, you can rest easy: we’ve had a look, and although some of our customers are using this library, none have the vulnerable configuration enabled.

The vulnerability report only lists version 2.8.13 as vulnerable. According to Michael VanDeMar (thanks!), this feature goes back to at least TimThumb 2.4, making it likely that almost all versions in use today are vulnerable. Unfortunately, an updated version of TimThumb is not yet available, so if you are vulnerable, you’ve got to get into the source code to sort it out.

What should I do now?

Because some themes rename TimThumb files, you’re not necessarily in the clear if you can’t find a file called timthumb.php. To check if you’re vulnerable, search through all your project’s files for WEBSHOT_ENABLED. If you can’t find that text anywhere in your site’s wp-content directory, you’re almost certainly in the clear.

If you do find it, it could show up anywhere. But most likely, you’ll find this line in timthumb.php:

if(! defined('WEBSHOT_ENABLED') )  define ('WEBSHOT_ENABLED', false);  // Beta feature. [snip]

If, as in this example, every mention of WEBSHOT_ENABLED defines it as false, you’re in the clear. If, however, you find this anywhere:

define ('WEBSHOT_ENABLED', true);

Then you are probably running with the vulnerable feature enabled.

How do I fix it?

The solution is to disable the feature, by setting it back to false:

define ('WEBSHOT_ENABLED', false);

Finding every place where this is set to true and changing it to false will probably be enough to make you safe, but if you’re unsure, you should ask a developer to do this for you.

Alternatively, you could switch to a theme that doesn’t have TimThumb (or doesn’t enable this feature).

However, if you are vulnerable, it’s also possible that you’ve already been exploited. So, unless you are sufficiently technical to fix and investigate this yourself, it’s probably best to find a developer to help you out.

PS: Many thanks to Michael VanDeMar for pointing out a problem with the original post – it’s been updated now.

Harry Metcalfe

16 comments

  1. Pete McClymont

    How about running the TimThumb vulnerability scanner? https://wordpress.org/plugins/timthumb-vulnerability-scanner/

    • Harry Metcalfe

      Good question – I haven’t checked, but I doubt it will work. The vulnerability was only announced yesterday, and the last version of that plugin was released in 2012. I’ll post in their forum though, to see if they might like to release an update!

  2. Michael VanDeMar

    The first step is to check if any of your sites’ themes use TimThumb. Within each site, search for a file called timthumb.php.

    If that file does not exist in your site, you’re almost certainly not using TimThumb, so you’re in the clear.

    That is not true. People also need to search for simply thumb.php, since many themes and plugins rename the script when they add it. There are other scripts out there named thumb.php, so if found you actually need to open it and look at the contents to see which one you have, but to be safe people should definitely

    That being said, my guess is very, very few people are actually using this config setting.

    The vulnerability report only lists version 2.8.13 as vulnerable. We assume that previous versions are also vulnerable, but we’re not sure how far back that’ll be true.

    It looks like that config option exists at least as far back as version 2.4 (I didn’t go back any further than that), so would be pretty much all versions in use today, aside from those folks who still haven’t upgraded from when the previous vulnerability was discovered.

    • Harry Metcalfe

      Ah – I didn’t know that. Many thanks for pointing it out. I’ve updated the post and added in that information about old versions, too.

  3. Ian Dunn

    “[…] search for a file called timthumb.php. If that file does not exist in your site, you’re almost certainly not using TimThumb, so you’re in the clear.”

    I don’t think that’s accurate. I’ve seen it named as something generic more often than I’ve seen it named `timthumb.php`; it’s often `image.php`, and WooThemes includes it in their framework as `thumb.php`.

    A better method of detecting it would be running a command like:

    find /var/www -print0 | xargs -0 grep -i ‘timthumb’ -s

    That will search inside every file in the web server’s document root.

    • Harry Metcalfe

      Hi Ian – thanks for the comment. Michael pointed out the same thing, and I’ve updated the post to suggest that people just search everything for WEBSHOT_ENABLED.

  4. Michael

    Can a theme set WEBSHOT_ENABLED to TRUE outside of the timthumb.php or thumb.php code or would it have to be set to true only inside the actual timthumb.php/thumb.php file?

    • Harry Metcalfe

      Yes, it can be defined as true anywhere, as long as that define executes before timthumb.php is included.

      • Michael

        Gee, that’s great. So how do we ensure that it’s not being defined outside of timthumb.php? Other responses on the below WHT thread indicated the opposite of your response, but what you’ve explained seems to make sense. How do we protect against that scenario?

        http://www.webhostingtalk.com/showthread.php?t=1387986

        • Harry Metcalfe

          Yeah – this can be defined anywhere so it’s really important to search all the files in your site for WEBSHOT_ENABLED. That way, if the original file was renamed, or if someone is enabling this feature from within their theme or in a plugin, you’ll still catch it.

          There are some posts on that WHT thread indicating that, but also many that restrict the search to timthumb.php, or thumb.php. It’s an easy mistake to make – this post recommended the same approach until Michael VanDeMar pointed out my error in the comments!

  5. Christos Chatzaras

    I run a webhost and mass search the files for this bug. All customers had this setting to false. So I believe it is not a serious issue for most wordpress installations.

    • Harry Metcalfe

      Good to hear – however the original report does indicate that there may be places where the problem is more widespread:

      All themes from http://themify.me/ contains vulnerable “wordthumb” in “/themify/img.php”.

      • Pete McClymont

        For completeness, this from the Themify blog (members only):

        “…the alleged vulnerability is not true for Themify themes, since there are a number of factors that would have to be set plus a few modules enabled in your server for the exploit to become a viable one. Basically, you were never in danger.”

        Comment: in themify/img.php, WEBSHOT_ENABLED was set to FALSE.

        “To be cautious, we have taken immediate actions to remove all the code that, under the most pessimistic assumption, could lead to an exploit and have released an update. All Themify users are recommended to upgrade the themes.”

  6. Bewty

    It would be nice if you bothered explaining the nature of the vulnerability.

    • Harry Metcalfe

      Sorry if it wasn’t clear enough – is there any particular question?

      These attacks are pretty serious, allowing the attacker to force your server to run any command they like. Usually, it’s not much work for an attacker to use an arbitrary code execution to gain complete control of the vulnerable server or network.

  7. Piet

    Thanks for the head’s up.
    I just scanned my entire Sites folder and found that WooThemes Canvas runs timthumb under the name thumb.php. Fortunately WEBSHOT_ENABLED has been set to FALSE, but it makes you wonder why such a company would include timthumb in the first place.
    I use the Aqua-Resizer script on almost all sites I develop for myself and clients, much better and much more reliable!

Comments are closed.