I had written a great piece about this issue when it first happened but wrote it on a machine that I don’t have constant access to and forgot to email it to myself. But enough of the back story, let’s talk about the problem and the fix. The problem is that several (not all) premium WordPress themes use a script called TimThumb. TimThumb i used to handle cropping, zooming and resizing web images and because it writes files into a directory during the image-resizing process, it can be used to launch web attacks. This was the case recently and caused several sites using themes that were using the script to become compromised. To find out whether your theme uses TimThumb or not, I would contact that developers.
The issue was first noted by Feedjit CEO Mark Maunder and that set off a series of dialog throughout the community, eventually getting the developer of TimThumb, Ben Gillbanks, involved. Ben did a quick rewrite of the code that would help mitigate the issue in some cases but there was still a lot of debate of the security of the script. This resulted in Mark forking TimThumb and creating WordThumb, which was a completely rewritten version of TimThumb with some added features like the ability to screenshot a website. The key was that according to Mark it was much more secure as it was line by line rewrite. To make a long story short, at the suggestion of WordPress founder Matt Mullenweg, Ben and Mark decided to merged the projects, thus WordThumb has been merged into the core TimThumb code and the new script is now called TimThumb 2.0. The new TimThumb is fully backwards compatible and shouldn’t break your site at all. Going forward Ben and Mark will be working together to continue to have TimThumb be the easiest to use, fastest, most popular and most secure thumbnail script on the Web. This series of events is why I LOVE the WordPress community and how quickly and efficiently they can come together to solve issues. The new TimThumb 2.o has several new features including:
Here are a few enhancements in TimThumb 2.0:
- Includes the ability to take website screenshots if you have Xvfb and CutyCapt installed. (Instructions included how to do this)
- All filters and resizing can be applied to website screenshots.
- The cache directory is now secure and is still public for flexibility across platforms.
- TimThumb creates index files in your cache to prevent directory listings.
- Filenames are more randomized using data that a hacker doesn’t have access to, making it very hard to guess filenames in cache and access them.
- Cache files have a .txt extension which means the web server won’t execute them.
- All cached files have a fixed length record at the beginning which, if a web server tries to execute them, will be interpreted as PHP code and will cause an immediate exit.
- It includes file locking when files are created in cache to avoid conflicts.
- The entire code base has been rewritten and refactored for better code scalability.
- Lots of other improvements.
What Do You Need To Do?
So to make sure you have the most secure version of TimThumb and to avoid having this issue yourself, download the latest version of TimThumb 2.0 here. To update TimThumb, simply browse to /wp-content/themes/theme-name/scripts/timthumb.php. Open this file and replace the contents of the file with the new code, save and you should be good to go. Now we just gotta figure out how to make notifications of updates to the script easier and possibly look at an improved way to update it for folks that aren’t technical. Either way if your theme uses the old TimThumb script, update it IMMEDIATELY to ensure your site does not become susceptible to this attack. The improved functionality and features is also another great reason to update. Hope this helps someone and let me know if you need help updating. Now I’m off to update this site, I updated after the original issue but now I need to take both my sites to TimThumb 2.0, let’s go!!