If your WordPress theme uses a TimThumb library or you are manually using the TimThumb script on your site’s template, stop reading this article and remove the script right now. Your website is in a state of serious security risk, as anyone can upload and execute arbitrary PHP code in your TimThumb cache directory.
About TimThumb: TimThumb is a PHP script used for cropping, zooming and dynamically resizing images on websites. While TimThumb can be used on any website, it is ideal for blogs and other websites who use templates and themes (self hosted WordPress blogs, for example). Using TimThumb, you can dynamically fetch a cached copy of an image and proportionally resize it to fit in your blog template. Thumbnails, profile picture of users and signature images are typical examples where TimThumb script is used. Whilst TimThumb has found a home in WordPress themes, it is by no means limited to them – TimThumb can be used on any website to resize almost any image.
Here is how the TimThumb script works under normal conditions:
You get the TimThumb script from Google Code, upload it to a directory of your webserver, specify a cache directory and call the code from the source of your template. There are a lot of parameters which can be used with TimThumb, it depends on the requirements of your website and how you want to scale internal as well as external images.
Once your script is in place, it will continue to work in the background and store a copy of the original image in the cache folder. So if you are scaling a really large image to 100 X 100 using TimThumb, an exact match copy of the image will be saved in the cache folder. This image will be shown to your website visitors.
And here is how the recent TimThumb vulnerability goes to work.
Since the cache directory is public and is accessible to anyone visiting the website, an attacker can compromise your site by figuring out a way to get TimThumb to fetch a PHP file and put that file in the same directory. Now since the cache directory is preconfigured to execute any file ending with a .PHP extension, you are trapped.
The only way this security vulnerability can be avoided is to explicitly modify the permissions of the cache directory and tell your web server not to execute .PHP files from TimThumb’s cache directory. But in case of WordPress blogs and other websites, almost every web server is preconfigured to execute .PHP files on any directory.
Mark Maunder, discovered the problem when his own blog got hacked due to this TimThumb exploit. The hacker uploaded a file in the cache folder of Mark’s web server and added a malicious code with a base64_decode. Suddenly ads were popping out on every page of Mark’s website, the results could have been more alarmic. Some common possibilities are – serving malicious content, redirecting to a random website, loading advertisements or putting up a fake login page for users.
How To Keep Your Website Safe From TimThumb’s Security Exploit
There are quite a number of ways you can avoid such situations on your website.
1. Don’t use the script at all: This is probably the best and recommended option for anyone who don’t know how to tweak the WordPress theme of his site. Ask your theme developer to permanently remove TimThumb script from your WordPress theme or find the files which are calling that TimThumb script. Delete those codes and don’t forget to delete the TimThumb directory as well (be careful, take a backup of your theme first).
2. TimThumb is not exclusive: There are quite a number of alternatives to consider. For example: you can use jquery plugins to resize internal images on your website.
3. Patch it: If You must use the TimThumb Script, first patch the script to it’s latest version. Before using the script, open the timthumb.php file for editing, jump to line number 27 and remove the options for $allowedSites. The array should have no elements and it should look something like this:
//external domains that are allowed to be displayed on your website
$allowedSites = array();
Save the file and upload it back. This will disable timthumb.php’s ability to load images from external sites and the attacker wont be able to compromise your site using an external image
4. HTACCESS: Open up Notepad and dump the following code in it:
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Save the file as .HTACCESS and upload it to TimThumb’s cache folder (remember to save as All Files and not as a text file). This HTACCESS file will prevent PHP and other scripting languages from being executed and anyone trying to access the files will get a 403 forbidden access denied message.
5. Why not WordPress? WordPress already has a very decent image handling system and there is a chance that you might not need TimThumb in the first place. The way WordPress handles images is far more secure, never creates cached files or writes them to a directory and keeps the images in the same place where they were uploaded by default. And since WordPress releases security and feature enhancements on a time to time basis, your WordPress powered functions will automatically stay secure as you update WordPress.
Ben Gillbanks, the developer of TimThumb is working on a fix and a more secured version of TimThumb should be released soon. [changelog is here]
Bonus tip: Unless you know the code and their corresponding output, never use free WordPress themes for your site. A lot of them contain base_64 decoded codes embedded within the source, which can hurt in more ways than one.