TimThumb Code

I have finally updated the TimThumb.php (actually, the file I have was named thumb.php) after my hosting provider sent me a warning message regarding the vulnerability found on Timthumb.php. The problem was first discovered by Mark Maunder after his blog was hacked.

The timthumb.php file is a script commonly used in WordPress’s (and other software’s) themes and plugins to resize images. The exploit allows an attacker to arbitrarily upload and create files and/or folders on your account, which can then be used for a number of malicious tasks, including but not limited to defacement, browser high-jacking and infection, data harvesting and more. After a site has been exploited, it may lead to becoming labeled a “Malicious Website” by Google or other security authorities.

Do you use timthumb.php? In order to know if you have the file:

– Go to your theme directory and find where timthumb.php is.

– Or try to search in the directory /wordpress/dir/wp-content/themes/YourTheme/ and find “timthumb.php” or “thumb.php”.

Do you have the old file and vulnerable to attack?

– Sucuri.net has put out a script that will find out for you. You can read about/download it here. Follow the steps provided to check your security vulnerability.

If you find out that your current WordPress theme is using timthumb.php, do this to fix the vulnerability problem:

Update TimThumb Option 1:
– Download the updated version of timthumb.php from the official website.

– Upload the new file over the old TimThumb.php. You can do this from your Control Panel, and go to the directory where you found the old file.

Update TimThumb Option 2:
– Log-in to your WordPress account, go to “Appearance”, and go to “Edit.” Find the TimThumb.php or the Thumb.php.

– Update this old file with the new file.

– Once you changed into the new file, you need to do this as well: look for this line ALLOW_EXTERNAL in the script and check if the value is set to FALSE.

define (‘ALLOW_EXTERNAL’, FALSE);

After setting ALLOW_EXTERNAL to FALSE, the next step is to remove the domains listed in the $allowedSites array to be certain that remote file downloading is disabled:

Before the deletion, it will look like this:

$allowedSites = array (
‘flickr.com’,
‘picasa.com’,
‘img.youtube.com’,
);

After the deletion, it must look like this:

$allowedSites = array ();

Save the changes. Here’s more: Delete themes you don’t use. Unused WordPress themes with the TimThumb.php are also vulnerable to attack.

Most WP theme developers are now aware of this issue and are updating the themes. So it is advisable to update themes on your account to the latest version. Also update all scripts, plugins, and modules.