WebsiteDefender.com » WordPress Security » TimThumb vulnerability: a big number of WordPress plugins and themes are affected

TimThumb vulnerability: a big number of WordPress plugins and themes are affected

Submitted by bogdan on August 4, 2011 - 7:19 am 55 Comments

Recently a new high risk vulnerability was discovered in the highly popular TimThumb script. TimThumb is a “A small php script for cropping, zooming and resizing web images (jpg, png, gif). Perfect for use on blogs and other applications.“

 

TimThumb is included in a lot of WordPress plugins and themes (free and paid). Exploiting this vulnerability an attacker can upload and excute a PHP file of his choice on a vulnerable website. Here is the vulnerable code.

 

 

By default the script allows uploding files from a list of trusted external domains specified below:

 

// external domains that are allowed to be displayed on your website
$allowedSites = array (
	'flickr.com',
	'picasa.com',
	'blogger.com',
	'wordpress.com',
	'img.youtube.com',
);

 

It should not be possible to upload files from another external domain. However, the check is flawed because you can bypass it using a domain like blogger.com.hacker.com. This domain passes the check but belongs to hacker.com, making the script exploitable.

Hackers are already exploiting this vulnerability in the wild (for example we’ve seen instances of this script being used in exploits : hxxp://blogger.com.zoha.vn/db/load.php)

 

If you are vulnerable and using our free WebsiteDefender online web security service, you should get the alert below if you are vulnerable. In that case you should contact the author of the affected plugin/theme and ask them to provide you with a fixed version. If that fails, you can download the fixed version (v1.34) from the TimThumb project page (http://code.google.com/p/timthumb/).

 

We’ve  researched this issue and compiled a list of plugins and themes that are affected by this vulnerability.

 

The list of WordPress plugins that include a vulnerable version of TimThumb (pre TimThumb version 1.34).

 

1. portfolio-slideshow-pro
2. wp-mobile-detector
3. a-wp-mobile-detector
4. igit-related-posts-with-thumb-images-after-posts
5. dukapress
6. verve-meta-boxes
7. db-toolkit
8. logo-management
9. wp-marketplace
10. islidex
11. aio-shortcodes
12. category-grid-view-gallery
13. WPFanPro
14. igit-posts-slider-widget
15. wordpress-gallery-plugin
16. cms-pack
17. Premium_Gallery_Manager
18. dp-thumbnail
19. placid-slider
20. nivo-slider
21. photoria
22. LaunchPressTheme
23. kc-related-posts-by-category
24. journalcrunch
25. download-manager
26. wordpress-thumbnail-slider
27. sugar-slider
28. optimizepress

 

And here is a list of WordPress themes that are affected by this vulnerability because they include this script.

 

1. Minimo
2. Polished
3. Minimal
4. nebula
5. TheCorporation
6. TheStyle
7. TuaranBlog
8. striking
9. MyCuisine
10. AskIt
11. Webly
12. Aggregate
13. TheSource
14. reviewit
15. kelontongfree
16. Mentor
17. SimplePress
18. journalcrunch
19. ecobiz
20. Magnificent
21. timthumb.php
22. Olympia
23. kingsize
24. Chameleon
25. DelicateNews
26. videozoom-v2.0-original
27. videozoom
28. Envisioned
29. twicet
30. u-design
31. genoa
32. OptimizePress
33. Modest
34. mocell
35. ephoto
36. Theme
37. InReview
38. lightpress
39. hostme
40. PersonalPress
41. Cadca
42. arras
43. tiwinoo_v3
44. MyProduct
45. sc4
46. InterPhaseTheme
47. InStyle
48. LightBright
49. TheProfessional
50. mnfst
51. freshnews
52. ArtSee
53. Boutique
54. eStore
55. Avenue
56. twentyten
57. XSWordPressTheme
58. adcents
59. Nova
60. MyPhoto
61. eGallery
62. Striking_Premium_Corporate
63. default
64. Lycus
65. manifesto
66. cold
67. DynamiX
68. tarnished
69. Nyke
70. linepress
71. DJ
72. adria
73. zimex
74. peano
75. ElegantEstate
76. delight
77. kelontong-free
78. duotive-three
79. SobhanSoft_Theme
80. PureType
81. yamidoo_pro
82. vulcan2.1
83. eGamer
84. Wooden
85. peritacion
86. AmphionPro
87. trinity
88. dandelion_v2.6.3
89. Juggernautgrande
90. juggernaut-theme
91. BlackLabel_v1.1.2
92. Feather
93. reviewit1
94. zinepress_v1.0.1
95. tribune
96. photoria
97. vilisya
98. DailyNotes
99. Basic
100. minerva
101. anthology_v1.4.2
102. ModestTheme
103. purevision
104. parquet
105. framed-redux
106. eceramica
107. InterPhase
108. epsilon
109. Striking
110. thedawn
111. peava
112. Newspro
113. telegraph
114. averin
115. telegraph_v1.1
116. Memoir
117. NewsPro
118. CircloSquero
119. vassal
120. maxell
121. 13Floor
122. wpanniversary
123. OnTheGo
124. Glider
125. mohannad-najjar222
126. mohannad-najjar2
127. arthemia
128. tuufy7
129. photoframe
130. beach-holiday
131. blacklabel
132. cadabrapress
133. snapwire
134. bizpress
135. themesbangkoofree
136. TOA
137. D4
138. eNews
139. vulcan
140. overtime
141. rockwell_v1.0
142. vicon
143. wideo
144. CherryTruffle
145. mio
146. rttheme13
147. Linepress
148. DeepFocus
149. advanced-newspaper202
150. OptimusPrime
151. Quadro
152. Lumin
153. minima
154. identity
155. U-design.v1.1.2_hkz
156. KP
157. Petra
158. services
159. 13FloorTheme.php
160. BD
161. PolishedTheme
162. 13FloorTheme
163. kiwinho
164. graphix
165. jerestate
166. centro
167. corage
168. Reporter
169. TheTravelTheme
170. XSBasico
171. openhouse
172. seosurfing1
173. bluebaboon
174. Newspro-2.8.6
175. nd
176. zoralime
177. GrupoProbeta
178. eBusiness
179. purplex
180. kitten-in-pink
181. FashionHouse
182. WhosWho
183. Deviant
184. Bold
185. BusinessCard
186. EarthlyTouch
187. GrungeMag
188. LightSource
189. Simplism
190. TidalForce
191. Glow
192. Influx
193. StudioBlue
194. jpmegaph
195. redina
196. tritone
197. dandelion_v2.5
198. Bluesky
199. ColdStone
200. silveroak
201. newspro
202. GamesAwe
203. caratinga.net
204. SimplePressTheme
205. MyResume
206. MyApp
207. theme
208. bigcity
209. dandelion_v2.6.1
210. chronicle
211. cuizine
212. thesis_18
213. advanced-newspaper_new
214. Event
215. wpbedouine
216. rt_affinity_wp
217. arry12
218. backup-TheStyle
219. ExploreFeed
220. zzzzzzzzz
221. Bluemist
222. Hermes
223. cleartype_v1.0
224. polariswp
225. Chameleon 1.6
226. sniper
227. adena
228. ariela
229. FreshAndClean
230. wp-creativix

 

We are pretty sure these lists are not completed, it’s very probable that other themes and plugins are affected.Because there are so many plugins and themes vulnerable, we expect a high number of people to be affected by this vulnerability. Please check your site/blog security and spread the word around.

 

Tags: php code execution, timthumb vulnerability, wordpress plugins vulnerability, wordpress security, worpress theme vulnerability

36 Trackbacks/Pingbacks

1. Pingback: TimThumb vulnerability: a big number of Wordpress plugins and themes – themes for wordpress on August 4, 2011
2. Pingback: Vulnerabilidades masivas y persistentes « programacion@droope on August 4, 2011
3. Pingback: WordPress UK »  TimThumb vulnerability: a big number of Wordpress plugins and … on August 4, 2011
4. Pingback: TimThumb vulnerability: a big number of Wordpress plugins and … | WordPressPlanet.com on August 4, 2011
5. Pingback: TimThumb vulnerability: a big number of Wordpress plugins and … | Wordpress Develop on August 4, 2011
6. Pingback: Attention WordPress webmasters, read this! (SECURITY) | HostGator Coupons Code on August 4, 2011
7. Pingback: TimThumb vulnerability: a big number of Wordpress plugins and … on August 5, 2011
8. Pingback: TimThumb vulnerability: a big number of Wordpress plugins and … – wordpress on August 5, 2011
9. Pingback: TimThumb vulnerability: a big number of Wordpress plugins and … – themes for wordpress on August 5, 2011
10. Pingback: Some WordPress themes (and other software) vulnerable to “TimThumb” bug | Tiger Technologies Blog on August 9, 2011
11. Pingback: Wordpress timthumb.php dosyasında büyük güvenlik açığı | myWordpress | Wordpress ile ilgili her şey on August 9, 2011
12. Pingback: Importante vulnerabilidad en TimThumb que afecta a plugins y themes de WP | Seguridad Wordpress - Plugins para Wordpress on August 14, 2011
13. Pingback: New Vulnerability in many WordPress themes | TerraNetwork on August 15, 2011
14. Pingback: Why does the automated agent copy fail, and how can I copy the … – secure wordpress on August 17, 2011
15. Pingback: Wordpresste Önemli Güvenlik Açığı | 32byte on August 18, 2011
16. Pingback: Websites Hacked - TimThumb Vulnerability Uncovered in WordPress | WEBphysiology on August 18, 2011
17. Pingback: Dikkat! Wordpress Timthumb.php Güvenlik Açığı | AESözlük on August 21, 2011
18. Pingback: Get A Security Makeover For Your WordPress Site With WebsiteDefender | .: Tools4Classroom :. on August 24, 2011
19. Pingback: Get A Security Makeover For Your WordPress Site With WebsiteDefender on August 25, 2011
20. Pingback: Get A Security Makeover For Your WordPress Site With … – wordpress registration plugin on August 25, 2011
21. Pingback: Secure steps to take with latest Wordpress attacks (Part One … – secure wordpress on August 26, 2011
22. Pingback: Hackers Deserve a Special Place in Hell | Marie Leslie Media on August 26, 2011
23. Pingback: Cómo arreglar un wordpress hackeado por el TimThumb.php | Gadgetopost on August 30, 2011
24. Pingback: TimThumb vulnerability found in lot of WordPress Themes & Plugins | WordPress Security Patch | Catch Internet on September 6, 2011
25. Pingback: TimThumb vulnerability found in lot of WordPress Themes & Plugins … – themes for wordpress on September 6, 2011
26. Pingback: TimThumb vulnerability found in lot of WordPress Themes & Plugins … – wordpress themes on September 6, 2011
27. Pingback: TimThumb vulnerability found in lot of WordPress Themes & Plugins … – wordpress thems on September 6, 2011
28. Pingback: The Trip Overland Hacked via the Timthumb Vulnerability – The Trip on September 18, 2011
29. Pingback: The story of the New Nation hack | New Nation on October 5, 2011
30. Pingback: Zoroukah – The story of the New Nation hack on October 5, 2011
31. Pingback: WordPress Issue? Scan “Local Machine” | Lakeshore Branding on October 10, 2011
32. Pingback: Attention WordPress webmasters, read this! (SECURITY) | Web Hosting Promotion Codes on December 13, 2011
33. Pingback: Defaced, D*mn! – IMS' Blog on December 20, 2011
34. Pingback: TimThumb.php Sicherheits-Update on January 5, 2012
35. Pingback: Timthumb Vulnerability Scanner Plugin for WordPress Sites on April 10, 2012
36. Pingback: 5 Basic Tips to Increase WordPress Security | CreatiFace.com on April 13, 2013

19 Comments

1. 
   Pat J August 4, 2011

   I also found it in the FreshAndClean and wp-creativix themes, FYI.

2. 
   bogdan August 4, 2011

   Thanks, I will add them to the list.

3. 
   Jean August 4, 2011

   Wow… Such a big vulnerability issue.
   Thank you for sharing this information.

4. 
   Joel.re August 5, 2011

   There seems to be multiple versions of timthumb, out of which some don’t seem to be afftected.
   Could you post the md5sum of the affected versions?

   these are the md5sums of files I found to be afftected ..

   - cfdc880c1f7b940e645e6b79ac4e5c79
   - 5b5feeedda04c20f7a2755029c720f01

5. 
   bogdan August 5, 2011

   @Joel.re Yes, there are many versions and variants of timthumb. Just because some plugin/scheme includes timthumb it doesn’t mean that is vulnerable. I’ve seen timthumb versions that don’t include the allowedSites functionality. In the beginning we’ve been thinking to make a list of md5/sha1 hashes and look for those but we quickly realized there are too many variants on the net.

   Therefore, we didn’t use hashes. We’ve built a script that will search PHP files for the vulnerable code and report those matching.

6. 
   Robert Mathews August 9, 2011

   This vulnerability is a big one. I work for a medium sized hosting company that implemented mod_security rules to prevent this attack, and our logs show they’re blocking hundreds of separate attempts a day to exploit this.

   The mod_security rules are available here if others want to use them: http://blog.tigertech.net/posts/timthumb/

7. 
   bogdan August 10, 2011

   Thanks for MS rules Robert.
   BTW, some plugins and themes are renaming timthumb.php to thumb.php. You could adjust the first rule to include that.

8. 
   Robert Mathews August 11, 2011

   Good advice — our logs show some exploit attempts on just “thumb.php”, too. Those are still stopped by the second rule, but we’ve modified the first to match “thumb.php”, too. Thanks!

9. 
   gn_themes August 17, 2011

   Hi,
   please exclude shortcodes ultimate from list of affected plugins.

   It has updated and secure script from 3rd version.

   Thanks!

10. 
    bogdan August 18, 2011

    @gn_themes: OK, I’ve removed that script from our list.

11. 
    rabbit August 23, 2011

    What if hackers will use this list to find vulnerable plugins and themes?

12. 
    bogdan August 23, 2011

    @rabbit: Yes, that may happen. This information, like many others, can be used for good or bad. However, I think it’s more important to inform the people that have vulnerable themes and plugins to fix their sites as soon as possible.

13. 
    Ethan August 25, 2011

    Also, WooThemes’ themes seem to be affected, and they have made it really easy to update the file from inside the WP admin area. See more instructions on the WooThemes blog: http://www.woothemes.com/2011/08/timthumb-security-flaw-patch/

14. 
    bogdan August 25, 2011

    Thanks for the information Ethan.

15. 
    howtogetripped November 10, 2011

    Man am I way late on finding this. I had two of my sites get hacked because of this. Thanks for the information. I’m installing WebsiteDefender WordPress on my sites today. Wish I would have found this out earlier.
    Fred

16. 
    Adalberto Hernandez Vega November 16, 2011

    Last completely rewritten code version is here: http://www.binarymoon.co.uk/2011/08/timthumb-2/

    They have removed those domains which could be used to exploit (blogspot.com and wordpress.com)

    Adal

17. 
    Robert Abela November 16, 2011

    Hi,

    Thanks for sharing.

18. 
    akhil January 2, 2012

    I don’t know how to say thanks..I have installed the timthumb scanner and removed the out dated plugin.Great article…

19. 
    Jeff February 7, 2012

    Thanks for this article, very informative…I had 5 sites hit with this over the past week and for sure it was TimThumb…the plugin vulnerability scanner fixed it…

Post a comment

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS. Be nice. Keep it clean. Stay on topic. No spam.

Name (required)

E-mail (will not be published) (required)

Website

Comments

Submit

CAPTCHA Code *