We are seeing more and more WordPress websites being hacked through exploiting the timthumb.php script.
What is TimThumb?
It is a PHP script file that automatically generates a file upon receiving a request, from any URL.
It’s commonly used to resize uploaded images and generate thumbnails, however, the script is dangerous due to the way it operates.
As John Ford explained on the VaultPress blog, TimThumb’s vulnerability
allows third parties to upload and execute arbitrary PHP code in the TimThumb cache directory.
This file would allow the attacker to further compromise the site in any way.
The latest version of timthumb.php can be found here:
Although the developers have tried to fix some of the vulnerabilities in the code, the nature of what it does still leaves it a threat to your website.
TimThumb is truly evil 👿 and needs to be deleted from all websites.
I challenge anyone to convince me otherwise.
Where is it?
A quick Google Search for timthumb.php returned 54,000 local results. That’s a lot of potential websites to hack.
Unfortunately the timthumb.php file is shipped with many WordPress themes and plugins, even premium ones on the top theme sites.
If you have a local copy of your website theme, you can perform a Windows or Mac search for the file timthumb.php.
We’ve also see it called crop.php, thumb.php, thumbnail.php and resize.php.
If you have SSH access to your website you can run the following search command in the console to determine if the file is there.find ~/ -name timthumb.php
Run that for each of the filenames above.
What will happen if I delete it from my website?
At least two things will happen when you remove the timthumb.php file from your WordPress website.
- Your website will instantly become more secure
- You may loose the ability to automatically resize images/thumbnails in your theme
If you find TimThumb in your theme I suggest that you contact the theme developer and ask them if they have an alternative option.
You can also search the WordPress plugin repository for thumbnail plugins, of course checking that they do not use TimThumb!
Spread the word and help make WordPress websites safer.
26/06/2014 UPDATE: yet another zero day exploit is found in the script!