Zero-day Vulnerability In TimThumb Image Utility Threatens Many WordPress Sites

This is pretty apt after we wrote about WebsiteDefender – Ensure Your Website Security on Monday, a platform for securing web applications with a focus on WordPress. Today a zero-day in a very commonly used WordPress library hit quite a few news sites.

The flaw is in an image utility called TimThumb which is used in a LOT of premium themes for generating on the fly thumbnails, you can check it out (and grab the latest version) here:

Attackers are exploiting a widely used extension for the WordPress publishing platform to take control of vulnerable websites, one of the victims has warned.

The vulnerability affects virtually all websites that have an image-resizing utility called TimThumb running with WordPress, Mark Maunder, CEO of Seattle-based Feedjit, wrote in a post published Monday. The extension is “inherently insecure” because it makes it easy for hackers to execute malicious code on websites that use it. At least two websites have already been compromised, he reported.

Maunder said he found the vulnerability after discovering his own website,, was suddenly and inexplicably loading advertisements, even though the blog wasn’t configured to do so.

After a thorough investigation, he learned that an attacker had used TimThumb to load a PHP file into one of his site directories and then execute it. The utility, he said, by default allows files to be remotely loaded and resized from,, and five other websites and doesn’t vet URLs for malicious strings, making it possible to upload malicious payloads.

I personally think this could cause some major problems because TimThumb is bundled with almost every WordPress theme (free ones or otherwise) and is invariably an old version – which will be insecure. It creates an image cache inside the readable webroot – which is really bad.

Plus the URL filtering doesn’t really work properly, so with your own domain you could create a subdomain and host up some nasty files there, call TimThumb on that file and it’d be cached in the webroot.

“So if you create a file on a web server like so: and tell timthumb.php to fetch it, it merrily fetches the file and puts it in the cache directory ready for execution,” Maunder explained.

He went on to report the technique was used on Friday to hack Ben Gillbanks, developer of TimThumb. Gilders is working on a permanent fix, but in the meantime, Maunder has submitted a temporary patch that fixes the most obvious errors.

“I can’t apologise enough for this oversight in the code and hope nobody has anything too bad happen to their sites because of my error,” Gilders wrote in a comment responding to Maunder’s post

One of the first people that was hit was a WordPress developer himself (which is a good thing as it means we get a quick fix), a new more secure version (hopefully) is in the works and the developer has pushed out some quick fixes in the current version to make it harder to exploit.

You can grab the latest TimThumb.php code here:

There are also a lot more details on how to fix the problem on Mark Maunder’s blog, CEO of Seattle-based Feedjit:

Zero Day Vulnerability in Many WordPress Themes

There’s a story from Network World here too:

Zero-day vulnerability found in a WordPress image utility

TimThumb is in many themes with other names, so please also search for thumb.php, cropper.php, crop.php & resize.php.

Site: The Register

Posted in: Exploits/Vulnerabilities, Web Hacking

, , , ,

Latest Posts:

SecLists - Usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells SecLists – Usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells
SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place.
DeepSound - Audio Steganography Tool DeepSound – Audio Steganography Tool
DeepSound is an audio steganography tool and audio converter that hides secret data into audio files, the application also enables you to extract from files.
2019 High Severity Vulnerabilities What are the MOST Critical Web Vulnerabilities in 2019?
So what is wild on the web this year? Need to know about the most critical web vulnerabilities in 2019 to protect your organization?
GoBuster - Directory/File & DNS Busting Tool in Go GoBuster – Directory/File & DNS Busting Tool in Go
GoBuster is a tool used to brute-force URIs (directories and files) in web sites and DNS subdomains (inc. wildcards) - a directory/file & DNS busting tool.
BDFProxy - Patch Binaries via MITM - BackdoorFactory + mitmProxy BDFProxy – Patch Binaries via MiTM – BackdoorFactory + mitmproxy
BDFProxy allows you to patch binaries via MiTM with The Backdoor Factory combined with mitmproxy enabling on the fly patching of binary downloads
Domained - Multi Tool Subdomain Enumeration Domained – Multi Tool Subdomain Enumeration
Domained is a multi tool subdomain enumeration tool that uses several subdomain enumeration tools and wordlists to create a unique list of subdomains.

6 Responses to Zero-day Vulnerability In TimThumb Image Utility Threatens Many WordPress Sites

  1. clyang August 3, 2011 at 12:59 pm #

    One quick way to identify where timthumb located:
    1. ssh into your server
    2. go to WordPress’s root directory
    3. use the following command: find . -name “*.php” -exec grep -H TimThumb {} \;

    Then, replace all founded file to latest version.

    • Bogwitch August 3, 2011 at 1:32 pm #

      As Darknet said, there are many instances where TimThumb is renamed so just performing a ‘find’ for TimThumb may not be sufficient.
      Far better that you actually know which modules are installed as part of your wordpress installation!

      • clyang August 3, 2011 at 1:45 pm #

        The method I used is to find all php files which contain the string “TimThumb”. It’s not just finding by filename :)

        Oops, let me do a minor fix with my command to make it more accurate. Please use the following command: find . -name “*.php” -exec grep -H ‘TimThumb script created by Ben’ {} \;

  2. Bogwitch August 3, 2011 at 4:09 pm #

    I should learn to read the code fully!

  3. droope August 3, 2011 at 6:00 pm #

    so interesting :)

  4. dilan August 6, 2011 at 11:23 am #

    should be search the exploit on exploit database, if any :D