Zero Day Vulnerability in Many WordPress Themes

TimThumb is a popular image resizing utility used on millions of sites worldwide. It is inherently vulnerable because it allows hackers to upload and execute arbitrary PHP code in your timthumb cache directory.

To prevent this from happening, it is urgent that you either update your TimThumb script to the latest version, remove it or edit it and set the $allowedSites array to be empty.

I already know several people whose sites have been hacked from this vulnerability. My WordPress Firewall plugin alerts show that robots are surfing the net and targeting all WordPress sites looking for this script to exploit. It does not matter that your site is unpopular or receives no visitors or that the theme containing it is not active. Hackers don’t care if you don’t use your site any longer. If you have this script, you will likely get hacked sooner or later.

How do you know if you are at risk?

1 – First, login into your site using your FTP application or SSH (SSH instructions here).

2 – Check ALL the files in your themes folder on your server to see if you have any file named timthumb.php or thumb.php (different theme developers named this differently).

3 – Open the file in your html editor and look for

* TimThumb script created by Ben Gillbanks, originally created by Tim McDaniels and Darren Hoyt
* http://code.google.com/p/timthumb/

If that is in the file, then you are looking at the correct file.

Here are a list of free themes on the wordpress.org site that contain(ed) this script: http://blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html

Also, all Elegant Themes downloaded prior to August 2011 contain this script. Elegant Themes has updated all of their themes to no longer use this script.

How do you fix it?

One simple fix that will keep your Timthumb script updated easily and quickly is to install the Timthumb Vulnerability Scanner plugin: http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/

If you want to update it manually, use the following process. Keep in mind that there have been a couple updates to Timthumb since the original vulnerability was discovered, so you may have to update this again.

1 – Go to http://timthumb.googlecode.com/svn/trunk/timthumb.php and copy all of the code on the page.

2 – Open your theme’s timthumb.php file and delete the content. Paste the code you just copied into it.

3 -Next, set allow external sites to false. This will prevent image fetching from external sites.

if(! defined('ALLOW_EXTERNAL') )         define ('ALLOW_EXTERNAL', false);            // Allow image fetching from external websites. Will check against ALLOWED_SITES if ALLOW_ALL_EXTERNAL_SITES is false

4 – Next scroll to the top of the file and start to slowly scroll down until you see an area that says $allowedSites.  Remove all of the sites listed in the array:

Before:

$allowedSites = array (
'flickr.com',
'picasa.com',
'blogger.com',
'wordpress.com',
'img.youtube.com',
'upload.wikimedia.org',
'photobucket.com',
);

After:

$allowedSites = array (

);

5 – Save and upload the file.

6 – Repeat for ALL timthumb.php files found on your server, even the ones for themes you are not using.

Note: If you are not using the theme, then you should probably remove it from the server. Also, do NOT leave a backup of the OLD timthumb.php file on your server. If you want to keep a backup, then store it on your local computer, not on the server.

More Information and Resources

• Scan your site at http://sucuri.net
• Read more about how this vulnerability was discovered at: http://markmaunder.com/2011/08/01/zero-day-vulnerability-in-many-wordpress-themes/
• Subscribe to WP Security Lock to stay on top of the latest WordPress Security issues: http://www.wpsecuritylock.com/
• Install the WordPress Firewall Plugin: http://wordpress.org/extend/plugins/wordpress-firewall-2/