[Security] TimThumb Vulnerability – Fixes


Wednesday, August 10th, 2011 - Security

The TimThumb exploit is still out there. More theme developers are updating their themes to include fixed solutions for this library.

The TimThumb project was forked into another project, called WordThumb by Mark Maunder and then recombined with the TimThumb project. As a result the versions of TimThumb is a little out of whack. The current version of TimThumb appears to be 2.7, however any version after (and including) 1.34 appears to have fixed the major issue with TimThumb. Each subsequent release of TimThumb just adds additional security layers, and for this reason version 2.7 is probably the version you need to be using.

However, the best thing you can in regards to this vulnerability is talk to developer, the person that wrote the WordPress theme you are using, and ask them if the theme is vulnerable to this security issue. It is important to note that this is not a security issue with WordPress. In fact TimThumb is used by other applications other than WordPress. WordPress is just the most common venue for TimThumb, and select WordPress users are more likely to be affected by this. It is also worth pointing out that not all WordPress uses are affected by this, it just depends on what themes you have installed and are using on your website.

The security blog Sucuri has a list of SOME affected WordPress themes:

http://blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html

However it is important to point out that this is not a complete list. Just because your WordPress theme is not listed here, does not mean that it is not affected by this exploit. Again, the best step is to talk to your WordPress theme developer and ask them if you are affected by this vulnerability.

Matt Mullenweg, the founder and creator of WordPress, has an interesting post about this issue:

http://ma.tt/2011/08/the-timthumb-saga

We are going to be going through the servers looking for timthumb.php files that may be affected by this. You should receive an email from us if this is found on your webhosting account. However, not all themes use the timthumb.php filename and for those we will not be able to find them. So just because you did not receive an email from us, this does not mean that you are affected by this. Again, I cannot stress this point enough, the best thing you can do is talk to your theme developer and ask them if you are affected by this. Your theme developer, the makers of your theme, are going to be your best bet at finding out if you are vulnerable to this.

Steven