TimThumb vulnerability in WordPress

TimThumb is a script that makes it possible to resize images ‘on the fly’. This form of 'image resizing' script is very popular and people know TimThumb mostly from the WordPress world. So, many WordPress themes use this software to make image resizing possible.

Unfortunately, we noticed that many WordPress sites still use a theme with an old, vulnerable version of TimThumb.

Vulnerability

The vulnerability had already been reported in 2011, and the author of the script had written an extensive blog post about it.

For the sake of clarity: this vulnerability has nothing to do with the security and stability of WordPress itself. TimThumb is not a part of the WordPress core. It is an independent script that is often used in WordPress themes developed by third parties.

Because of this vulnerability, including and uploading scripts on the server (and executing them) is made very easy. It allows hackers to upload scripts that may compromise the security of your hosting account and cause severe damage.

The cause

This vulnerability is caused by the fact that the script supports external file inclusion. In other words, it is not only local images that can be processed, but also external ones.

The URL below is an example of how TimThumb is normally called:

http://www.domainname.be/wp-content/themes/your-theme/lib/scripts/timthumb.php?src=http://farm9.staticflickr.com/8204/8211249708_14b486b010.jpg

The input control is rather superficial and is performed only on parts of the URL and not on the entire URL. The script checks if the domain name of the external image is included in the list of white-listed sites. This list includes, among others, the following white-listed domain names:

  • Flickr.com
  • Picasa.com
  • Img.youtube.com
  • Blogger.com
  • WordPress.com

However, it is very easy to pass the check if you create a URL that includes one of these white-listed domain names. The following URL is a hypothetical example of a supposedly secure URL:

http://flickr.com.evilsite.com/hack.php

Abuse

The content of the external file (in this case “hack.php”) is not immediately executed; it is included in the associated cache directory. If the uploaded file is an image, it is instantly displayed from the cache. And if the file is not an image, you get an error message indicating the location of the file. The error message can look like this:

Unable to open image: /var/www/wp-content/themes/your-theme/lib/scripts/cache/07ae62439acc0e284d9d706b55fabb36.php

The fact that the script displays the location of the file just like this makes it very easy to execute the hack.php script. All hackers need to do to hack the account is execute the URL below.

http://www.domainname.be/wp-content/themes/your-theme/lib/scripts/cache/07ae62439acc0e284d9d706b55fabb36.php

Consequences

The consequences of this vulnerability can be severe. When hackers upload PHP scripts, they can easily take control and read and edit your files. The underlying database is no longer secure either, since the database data can be easily accessed thanks to the configuration file.

What do hackers usually do?

  • They can change the content of your site or blog to spread their own political messages.
  • They often use the hacked sites to store malicious files and spread them around.
  • Hacked sites can also be used to send spam.
  • They inject malicious code in your site that is executed every time people visit it.
  • They attack other sites or servers from your account.

Problem detection and fixing

Not all WordPress installations are vulnerable. Only installations with themes using an old version of TimThumb are.

All TimThumb versions older than 2.8.2 are vulnerable and should be upgraded as soon as possible. You will find all the necessary information on http://code.google.com/p/timthumb/. For the latest version of the TimThumb script, please visit http://timthumb.googlecode.com/svn/trunk/timthumb.php.

A convenient WordPress plugin is available that checks your installation for the vulnerability. Not only does it search for older versions of TimThumb, but it also searches for files that hackers may have included in the cache directory.

Another possible fix is to empty the list of white-listed external sites. This list looks like this:

$allowedSites = array (
'flickr.com',
'picasa.com',
'img.youtube.com',
);

All you need to do is replace this bit of code with the following:

$allowedSites = array ();

Although emptying the list of white-listed sites can be an easy solution, upgrading to the latest version of TimThumb is extremely important. Creators of WordPress themes who used it have most probably already published updates using the latest version of the script. So, an update of your themes may help too.

Conclusion

Although this is not breaking news, we still notice that many sites feature themes using an older version of TimThumb. And even though this vulnerability has nothing to do with WordPress itself, it is mainly WordPress installations that are hacked through it. So, we advise you to upgrade your themes as soon as possible and to check if they use an old version of TimThumb. Make sure that your version is not older than 2.8.2.