Vulnerability in TimThumb [reported]

[guvner]

If you have TimThumb active either through a theme or a plugin (a lot of them use it), you might want to read this article carefully - but first here's the exec summary:

An image resizing utility called timthumb.php is widely used by many WordPress themes. Google shows over 39 million results for the script name.

If your WordPress theme is bundled with an unmodified timthumb.php as many commercial and free themes are, then you should immediately either remove it or edit it and set the $allowedSites array to be empty.

The utility only does a partial match on hostnames allowing hackers to upload and execute arbitrary PHP code in your timthumb cache directory.

We all have a few themes besides Catalyst installed, I just checked some of mine and they all use timthumb.php as well as quite a few plugins. Until the theme is activated I doubt it's going to be a problem, but if the report is accurate, active plugins which use the script could be suspect and I had two active on quite a few sites.

I can't validate the contents of the article, but to be safe I've edited all my timthumb scripts just in case.

Read the rest of the article >>

[bambo]

Nice to know. Development in hardening TimThumb can be followed here http://code.google.com/p/timthumb/issues/detail?id=212 "BinaryMoon" is plugin developer and problem seem to be acknowledged. He ask for good ideas

[whims]

thanks for the headsup!
nearly installed something that had timthumb in it this evening and changed my mind at the last moment for reason xyz
glad i did now

[bambo]

I have not checked details but noticed that both Elegantthemes and Woothemes have tweeted about this. Seems like Elegantthemes roll back the version while Woothemes says "fixes coming very soon". Problem with Elegantthemes fix is it will not work for those using CDN or just a subdomain. Some hopes Woothemes have a real fix allowing normal feature to work.

Binarymoon says "I have changed the allowed domain check to use a regex as suggested by Mark in the separate patch submission so the latest version 'should' resolve the domain issue." so whoever get 'should' converted to definitely fixed first wins. May be Woothemes is reading the same thread on Google code

Elegantthemes actually made a post about this so no need for Twitter http://www.elegantthemes.com/blog/th...ecurity-update so 2 fixes, roll back/disable via Theme updates or use shiny new possibly fixed TimThumb files.

[guvner]

As I imagine all Elegant customers did - I received the email from Nick Roach yesterday as per his blog posts so it seems that he and the other themers who are on top of their game are reacting quickly which is great to see.

[bambo]

Yes kind of a test this is. Hopefully busy days at ThemeForest http://themeforest.net/forums/thread...rability/48195 Bundled TimThumb files needs it.

[trem]

Just got this notice too. After following some posts one recommended the http://sucuri.net/tools/sucuri_wp_check.txt (upload this file and change .txt to .php then run file). I did this on one of my Catalyst Themes and received this warning:

Warning: Found PHP file inside image directory ./wp-content/themes/catalyst/images/social/index.php
Warning: Found suspicious file (timthumb or uploadify): ./sucuriwpcheck.php

Thoughts? Do we have to worry about this timthumb warning with Catalyst?

[justme]

Just got this notice too. After following some posts one recommended the http://sucuri.net/tools/sucuri_wp_check.txt (upload this file and change .txt to .php then run file). I did this on one of my Catalyst Themes and received this warning:

Warning: Found PHP file inside image directory ./wp-content/themes/catalyst/images/social/index.php
Warning: Found suspicious file (timthumb or uploadify): ./sucuriwpcheck.php

Thoughts? Do we have to worry about this timthumb warning with Catalyst?

It looks like the tool is giving a warning simply because there is an index.php file inside an images directory, a common hiding place for bad guys to place their malicious code. Eric might have further comment but as far as I know the index.php in that directory is an empty file, simply there as best practice to prevent direct access to file directory information. In other words, no worries. But if I were you I would inspect the file to make sure no one has put any malicious code there.

[theorbital]

A buddy of mine wrote a plugin to identify the timthumb vulnerability. Its free: http://wordpress.org/extend/plugins/...bility-scanner

[jfalcon]

Does Catalyst use the timthumb.php?