Login close
 

TimThumb vulnerability: a big number of WordPress plugins and themes are affected

Submitted by bogdan on August 4, 2011 - 7:19 am 55 Comments
Recently a new high risk vulnerability was discovered in the highly popular TimThumb script. TimThumb is a “A small php script for cropping, zooming and resizing web images (jpg, png, gif). Perfect for use on blogs and other applications.

 

TimThumb is included in a lot of WordPress plugins and themes (free and paid). Exploiting this vulnerability an attacker can upload and excute a PHP file of his choice on a vulnerable website. Here is the vulnerable code.

 

 

By default the script allows uploding files from a list of trusted external domains specified below:

 

// external domains that are allowed to be displayed on your website
$allowedSites = array (
	'flickr.com',
	'picasa.com',
	'blogger.com',
	'wordpress.com',
	'img.youtube.com',
);

 

It should not be possible to upload files from another external domain. However, the check is flawed because you can bypass it using a domain like blogger.com.hacker.com. This domain passes the check but belongs to hacker.com, making the script exploitable.
Hackers are already exploiting this vulnerability in the wild (for example we’ve seen instances of this script being used in exploits : hxxp://blogger.com.zoha.vn/db/load.php)

 

If you are vulnerable and using our free WebsiteDefender online web security service, you should get the alert below if you are vulnerable. In that case you should contact the author of the affected plugin/theme and ask them to provide you with a fixed version. If that fails, you can download the fixed version (v1.34) from the TimThumb project page (http://code.google.com/p/timthumb/).

 

We’ve  researched this issue and compiled a list of plugins and themes that are affected by this vulnerability.

 

The list of WordPress plugins that include a vulnerable version of TimThumb (pre TimThumb version 1.34).

 

  1. portfolio-slideshow-pro
  2. wp-mobile-detector
  3. a-wp-mobile-detector
  4. igit-related-posts-with-thumb-images-after-posts
  5. dukapress
  6. verve-meta-boxes
  7. db-toolkit
  8. logo-management
  9. wp-marketplace
  10. islidex
  11. aio-shortcodes
  12. category-grid-view-gallery
  13. WPFanPro
  14. igit-posts-slider-widget
  15. wordpress-gallery-plugin
  16. cms-pack
  17. Premium_Gallery_Manager
  18. dp-thumbnail
  19. placid-slider
  20. nivo-slider
  21. photoria
  22. LaunchPressTheme
  23. kc-related-posts-by-category
  24. journalcrunch
  25. download-manager
  26. wordpress-thumbnail-slider
  27. sugar-slider
  28. optimizepress

 

And here is a list of WordPress themes that are affected by this vulnerability because they include this script.

 

  1. Minimo
  2. Polished
  3. Minimal
  4. nebula
  5. TheCorporation
  6. TheStyle
  7. TuaranBlog
  8. striking
  9. MyCuisine
  10. AskIt
  11. Webly
  12. Aggregate
  13. TheSource
  14. reviewit
  15. kelontongfree
  16. Mentor
  17. SimplePress
  18. journalcrunch
  19. ecobiz
  20. Magnificent
  21. timthumb.php
  22. Olympia
  23. kingsize
  24. Chameleon
  25. DelicateNews
  26. videozoom-v2.0-original
  27. videozoom
  28. Envisioned
  29. twicet
  30. u-design
  31. genoa
  32. OptimizePress
  33. Modest
  34. mocell
  35. ephoto
  36. Theme
  37. InReview
  38. lightpress
  39. hostme
  40. PersonalPress
  41. Cadca
  42. arras
  43. tiwinoo_v3
  44. MyProduct
  45. sc4
  46. InterPhaseTheme
  47. InStyle
  48. LightBright
  49. TheProfessional
  50. mnfst
  51. freshnews
  52. ArtSee
  53. Boutique
  54. eStore
  55. Avenue
  56. twentyten
  57. XSWordPressTheme
  58. adcents
  59. Nova
  60. MyPhoto
  61. eGallery
  62. Striking_Premium_Corporate
  63. default
  64. Lycus
  65. manifesto
  66. cold
  67. DynamiX
  68. tarnished
  69. Nyke
  70. linepress
  71. DJ
  72. adria
  73. zimex
  74. peano
  75. ElegantEstate
  76. delight
  77. kelontong-free
  78. duotive-three
  79. SobhanSoft_Theme
  80. PureType
  81. yamidoo_pro
  82. vulcan2.1
  83. eGamer
  84. Wooden
  85. peritacion
  86. AmphionPro
  87. trinity
  88. dandelion_v2.6.3
  89. Juggernautgrande
  90. juggernaut-theme
  91. BlackLabel_v1.1.2
  92. Feather
  93. reviewit1
  94. zinepress_v1.0.1
  95. tribune
  96. photoria
  97. vilisya
  98. DailyNotes
  99. Basic
  100. minerva
  101. anthology_v1.4.2
  102. ModestTheme
  103. purevision
  104. parquet
  105. framed-redux
  106. eceramica
  107. InterPhase
  108. epsilon
  109. Striking
  110. thedawn
  111. peava
  112. Newspro
  113. telegraph
  114. averin
  115. telegraph_v1.1
  116. Memoir
  117. NewsPro
  118. CircloSquero
  119. vassal
  120. maxell
  121. 13Floor
  122. wpanniversary
  123. OnTheGo
  124. Glider
  125. mohannad-najjar222
  126. mohannad-najjar2
  127. arthemia
  128. tuufy7
  129. photoframe
  130. beach-holiday
  131. blacklabel
  132. cadabrapress
  133. snapwire
  134. bizpress
  135. themesbangkoofree
  136. TOA
  137. D4
  138. eNews
  139. vulcan
  140. overtime
  141. rockwell_v1.0
  142. vicon
  143. wideo
  144. CherryTruffle
  145. mio
  146. rttheme13
  147. Linepress
  148. DeepFocus
  149. advanced-newspaper202
  150. OptimusPrime
  151. Quadro
  152. Lumin
  153. minima
  154. identity
  155. U-design.v1.1.2_hkz
  156. KP
  157. Petra
  158. services
  159. 13FloorTheme.php
  160. BD
  161. PolishedTheme
  162. 13FloorTheme
  163. kiwinho
  164. graphix
  165. jerestate
  166. centro
  167. corage
  168. Reporter
  169. TheTravelTheme
  170. XSBasico
  171. openhouse
  172. seosurfing1
  173. bluebaboon
  174. Newspro-2.8.6
  175. nd
  176. zoralime
  177. GrupoProbeta
  178. eBusiness
  179. purplex
  180. kitten-in-pink
  181. FashionHouse
  182. WhosWho
  183. Deviant
  184. Bold
  185. BusinessCard
  186. EarthlyTouch
  187. GrungeMag
  188. LightSource
  189. Simplism
  190. TidalForce
  191. Glow
  192. Influx
  193. StudioBlue
  194. jpmegaph
  195. redina
  196. tritone
  197. dandelion_v2.5
  198. Bluesky
  199. ColdStone
  200. silveroak
  201. newspro
  202. GamesAwe
  203. caratinga.net
  204. SimplePressTheme
  205. MyResume
  206. MyApp
  207. theme
  208. bigcity
  209. dandelion_v2.6.1
  210. chronicle
  211. cuizine
  212. thesis_18
  213. advanced-newspaper_new
  214. Event
  215. wpbedouine
  216. rt_affinity_wp
  217. arry12
  218. backup-TheStyle
  219. ExploreFeed
  220. zzzzzzzzz
  221. Bluemist
  222. Hermes
  223. cleartype_v1.0
  224. polariswp
  225. Chameleon 1.6
  226. sniper
  227. adena
  228. ariela
  229. FreshAndClean
  230. wp-creativix

 

We are pretty sure these lists are not completed, it’s very probable that other themes and plugins are affected.Because there are so many plugins and themes vulnerable, we expect a high number of people to be affected by this vulnerability. Please check your site/blog security and spread the word around.

 

36 Trackbacks/Pingbacks

  1. Pingback: TimThumb vulnerability: a big number of Wordpress plugins and themes – themes for wordpress on August 4, 2011
  2. Pingback: Vulnerabilidades masivas y persistentes « programacion@droope on August 4, 2011
  3. Pingback: WordPress UK »  TimThumb vulnerability: a big number of Wordpress plugins and … on August 4, 2011
  4. Pingback: TimThumb vulnerability: a big number of Wordpress plugins and … | WordPressPlanet.com on August 4, 2011
  5. Pingback: TimThumb vulnerability: a big number of Wordpress plugins and … | Wordpress Develop on August 4, 2011
  6. Pingback: Attention WordPress webmasters, read this! (SECURITY) | HostGator Coupons Code on August 4, 2011
  7. Pingback: TimThumb vulnerability: a big number of Wordpress plugins and … on August 5, 2011
  8. Pingback: TimThumb vulnerability: a big number of Wordpress plugins and … – wordpress on August 5, 2011
  9. Pingback: TimThumb vulnerability: a big number of Wordpress plugins and … – themes for wordpress on August 5, 2011
  10. Pingback: Some WordPress themes (and other software) vulnerable to “TimThumb” bug | Tiger Technologies Blog on August 9, 2011
  11. Pingback: Wordpress timthumb.php dosyasında büyük güvenlik açığı | myWordpress | Wordpress ile ilgili her şey on August 9, 2011
  12. Pingback: Importante vulnerabilidad en TimThumb que afecta a plugins y themes de WP | Seguridad Wordpress - Plugins para Wordpress on August 14, 2011
  13. Pingback: New Vulnerability in many WordPress themes | TerraNetwork on August 15, 2011
  14. Pingback: Why does the automated agent copy fail, and how can I copy the … – secure wordpress on August 17, 2011
  15. Pingback: Wordpresste Önemli Güvenlik Açığı | 32byte on August 18, 2011
  16. Pingback: Websites Hacked - TimThumb Vulnerability Uncovered in WordPress | WEBphysiology on August 18, 2011
  17. Pingback: Dikkat! Wordpress Timthumb.php Güvenlik Açığı | AESözlük on August 21, 2011
  18. Pingback: Get A Security Makeover For Your WordPress Site With WebsiteDefender | .: Tools4Classroom :. on August 24, 2011
  19. Pingback: Get A Security Makeover For Your WordPress Site With WebsiteDefender on August 25, 2011
  20. Pingback: Get A Security Makeover For Your WordPress Site With … – wordpress registration plugin on August 25, 2011
  21. Pingback: Secure steps to take with latest Wordpress attacks (Part One … – secure wordpress on August 26, 2011
  22. Pingback: Hackers Deserve a Special Place in Hell | Marie Leslie Media on August 26, 2011
  23. Pingback: Cómo arreglar un wordpress hackeado por el TimThumb.php | Gadgetopost on August 30, 2011
  24. Pingback: TimThumb vulnerability found in lot of WordPress Themes & Plugins | WordPress Security Patch | Catch Internet on September 6, 2011
  25. Pingback: TimThumb vulnerability found in lot of WordPress Themes & Plugins … – themes for wordpress on September 6, 2011
  26. Pingback: TimThumb vulnerability found in lot of WordPress Themes & Plugins … – wordpress themes on September 6, 2011
  27. Pingback: TimThumb vulnerability found in lot of WordPress Themes & Plugins … – wordpress thems on September 6, 2011
  28. Pingback: The Trip Overland Hacked via the Timthumb Vulnerability – The Trip on September 18, 2011
  29. Pingback: The story of the New Nation hack | New Nation on October 5, 2011
  30. Pingback: Zoroukah – The story of the New Nation hack on October 5, 2011
  31. Pingback: WordPress Issue? Scan “Local Machine” | Lakeshore Branding on October 10, 2011
  32. Pingback: Attention WordPress webmasters, read this! (SECURITY) | Web Hosting Promotion Codes on December 13, 2011
  33. Pingback: Defaced, D*mn! – IMS' Blog on December 20, 2011
  34. Pingback: TimThumb.php Sicherheits-Update on January 5, 2012
  35. Pingback: Timthumb Vulnerability Scanner Plugin for WordPress Sites on April 10, 2012
  36. Pingback: 5 Basic Tips to Increase WordPress Security | CreatiFace.com on April 13, 2013

19 Comments

  1. Pat J August 4, 2011

    I also found it in the FreshAndClean and wp-creativix themes, FYI.

  2. bogdan August 4, 2011

    Thanks, I will add them to the list.

  3. Jean August 4, 2011

    Wow… Such a big vulnerability issue. :)
    Thank you for sharing this information.

  4. Joel.re August 5, 2011

    There seems to be multiple versions of timthumb, out of which some don’t seem to be afftected.
    Could you post the md5sum of the affected versions?

    these are the md5sums of files I found to be afftected ..

    - cfdc880c1f7b940e645e6b79ac4e5c79
    - 5b5feeedda04c20f7a2755029c720f01

  5. bogdan August 5, 2011

    @Joel.re Yes, there are many versions and variants of timthumb. Just because some plugin/scheme includes timthumb it doesn’t mean that is vulnerable. I’ve seen timthumb versions that don’t include the allowedSites functionality. In the beginning we’ve been thinking to make a list of md5/sha1 hashes and look for those but we quickly realized there are too many variants on the net.

    Therefore, we didn’t use hashes. We’ve built a script that will search PHP files for the vulnerable code and report those matching.

  6. Robert Mathews August 9, 2011

    This vulnerability is a big one. I work for a medium sized hosting company that implemented mod_security rules to prevent this attack, and our logs show they’re blocking hundreds of separate attempts a day to exploit this.

    The mod_security rules are available here if others want to use them: http://blog.tigertech.net/posts/timthumb/

  7. bogdan August 10, 2011

    Thanks for MS rules Robert.
    BTW, some plugins and themes are renaming timthumb.php to thumb.php. You could adjust the first rule to include that.

  8. Robert Mathews August 11, 2011

    Good advice — our logs show some exploit attempts on just “thumb.php”, too. Those are still stopped by the second rule, but we’ve modified the first to match “thumb.php”, too. Thanks!

  9. gn_themes August 17, 2011

    Hi,
    please exclude shortcodes ultimate from list of affected plugins.

    It has updated and secure script from 3rd version.

    Thanks!

  10. bogdan August 18, 2011

    @gn_themes: OK, I’ve removed that script from our list.

  11. rabbit August 23, 2011

    What if hackers will use this list to find vulnerable plugins and themes?

  12. bogdan August 23, 2011

    @rabbit: Yes, that may happen. This information, like many others, can be used for good or bad. However, I think it’s more important to inform the people that have vulnerable themes and plugins to fix their sites as soon as possible.

  13. Ethan August 25, 2011

    Also, WooThemes’ themes seem to be affected, and they have made it really easy to update the file from inside the WP admin area. See more instructions on the WooThemes blog: http://www.woothemes.com/2011/08/timthumb-security-flaw-patch/

  14. bogdan August 25, 2011

    Thanks for the information Ethan.

  15. howtogetripped November 10, 2011

    Man am I way late on finding this. I had two of my sites get hacked because of this. Thanks for the information. I’m installing WebsiteDefender WordPress on my sites today. Wish I would have found this out earlier. :-(
    Fred

  16. Adalberto Hernandez Vega November 16, 2011

    Last completely rewritten code version is here: http://www.binarymoon.co.uk/2011/08/timthumb-2/

    They have removed those domains which could be used to exploit (blogspot.com and wordpress.com)

    Adal

  17. Robert Abela November 16, 2011

    Hi,

    Thanks for sharing.

  18. akhil January 2, 2012

    I don’t know how to say thanks..I have installed the timthumb scanner and removed the out dated plugin.Great article…

  19. Jeff February 7, 2012

    Thanks for this article, very informative…I had 5 sites hit with this over the past week and for sure it was TimThumb…the plugin vulnerability scanner fixed it…

Sorry, comments for this entry are closed at this time.