TimThumb vulnerability: a big number of WordPress plugins and themes are affected

Recently a new high risk vulnerability was discovered in the highly popular TimThumb script. TimThumb is a “A small php script for cropping, zooming and resizing web images (jpg, png, gif). Perfect for use on blogs and other applications.

 

TimThumb is included in a lot of WordPress plugins and themes (free and paid). Exploiting this vulnerability an attacker can upload and excute a PHP file of his choice on a vulnerable website. Here is the vulnerable code.

 

 

By default the script allows uploding files from a list of trusted external domains specified below:

 

// external domains that are allowed to be displayed on your website
$allowedSites = array (
	'flickr.com',
	'picasa.com',
	'blogger.com',
	'wordpress.com',
	'img.youtube.com',
);

 

It should not be possible to upload files from another external domain. However, the check is flawed because you can bypass it using a domain like blogger.com.hacker.com. This domain passes the check but belongs to hacker.com, making the script exploitable.
Hackers are already exploiting this vulnerability in the wild (for example we’ve seen instances of this script being used in exploits : hxxp://blogger.com.zoha.vn/db/load.php)

 

If you are vulnerable you should  contact the author of the affected plugin/theme and ask them to provide you with a fixed version. If that fails, you can download the fixed version (v1.34) from the TimThumb project page (http://code.google.com/p/timthumb/).
We’ve  researched this issue and compiled a list of plugins and themes that are affected by this vulnerability.
The list of WordPress plugins that include a vulnerable version of TimThumb (pre TimThumb version 1.34).
  1. portfolio-slideshow-pro
  2. wp-mobile-detector
  3. a-wp-mobile-detector
  4. igit-related-posts-with-thumb-images-after-posts
  5. dukapress
  6. verve-meta-boxes
  7. db-toolkit
  8. logo-management
  9. wp-marketplace
  10. islidex
  11. aio-shortcodes
  12. category-grid-view-gallery
  13. WPFanPro
  14. igit-posts-slider-widget
  15. wordpress-gallery-plugin
  16. cms-pack
  17. Premium_Gallery_Manager
  18. dp-thumbnail
  19. placid-slider
  20. nivo-slider
  21. photoria
  22. LaunchPressTheme
  23. kc-related-posts-by-category
  24. journalcrunch
  25. download-manager
  26. wordpress-thumbnail-slider
  27. sugar-slider
  28. optimizepress

And here is a list of WordPress themes that are affected by this vulnerability because they include this script.

  1. Minimo
  2. Polished
  3. Minimal
  4. nebula
  5. TheCorporation
  6. TheStyle
  7. TuaranBlog
  8. striking
  9. MyCuisine
  10. AskIt
  11. Webly
  12. Aggregate
  13. TheSource
  14. reviewit
  15. kelontongfree
  16. Mentor
  17. SimplePress
  18. journalcrunch
  19. ecobiz
  20. Magnificent
  21. timthumb.php
  22. Olympia
  23. kingsize
  24. Chameleon
  25. DelicateNews
  26. videozoom-v2.0-original
  27. videozoom
  28. Envisioned
  29. twicet
  30. u-design
  31. genoa
  32. OptimizePress
  33. Modest
  34. mocell
  35. ephoto
  36. Theme
  37. InReview
  38. lightpress
  39. hostme
  40. PersonalPress
  41. Cadca
  42. arras
  43. tiwinoo_v3
  44. MyProduct
  45. sc4
  46. InterPhaseTheme
  47. InStyle
  48. LightBright
  49. TheProfessional
  50. mnfst
  51. freshnews
  52. ArtSee
  53. Boutique
  54. eStore
  55. Avenue
  56. twentyten
  57. XSWordPressTheme
  58. adcents
  59. Nova
  60. MyPhoto
  61. eGallery
  62. Striking_Premium_Corporate
  63. default
  64. Lycus
  65. manifesto
  66. cold
  67. DynamiX
  68. tarnished
  69. Nyke
  70. linepress
  71. DJ
  72. adria
  73. zimex
  74. peano
  75. ElegantEstate
  76. delight
  77. kelontong-free
  78. duotive-three
  79. SobhanSoft_Theme
  80. PureType
  81. yamidoo_pro
  82. vulcan2.1
  83. eGamer
  84. Wooden
  85. peritacion
  86. AmphionPro
  87. trinity
  88. dandelion_v2.6.3
  89. Juggernautgrande
  90. juggernaut-theme
  91. BlackLabel_v1.1.2
  92. Feather
  93. reviewit1
  94. zinepress_v1.0.1
  95. tribune
  96. photoria
  97. vilisya
  98. DailyNotes
  99. Basic
  100. minerva
  101. anthology_v1.4.2
  102. ModestTheme
  103. purevision
  104. parquet
  105. framed-redux
  106. eceramica
  107. InterPhase
  108. epsilon
  109. Striking
  110. thedawn
  111. peava
  112. Newspro
  113. telegraph
  114. averin
  115. telegraph_v1.1
  116. Memoir
  117. NewsPro
  118. CircloSquero
  119. vassal
  120. maxell
  121. 13Floor
  122. wpanniversary
  123. OnTheGo
  124. Glider
  125. mohannad-najjar222
  126. mohannad-najjar2
  127. arthemia
  128. tuufy7
  129. photoframe
  130. beach-holiday
  131. blacklabel
  132. cadabrapress
  133. snapwire
  134. bizpress
  135. themesbangkoofree
  136. TOA
  137. D4
  138. eNews
  139. vulcan
  140. overtime
  141. rockwell_v1.0
  142. vicon
  143. wideo
  144. CherryTruffle
  145. mio
  146. rttheme13
  147. Linepress
  148. DeepFocus
  149. advanced-newspaper202
  150. OptimusPrime
  151. Quadro
  152. Lumin
  153. minima
  154. identity
  155. U-design.v1.1.2_hkz
  156. KP
  157. Petra
  158. services
  159. 13FloorTheme.php
  160. BD
  161. PolishedTheme
  162. 13FloorTheme
  163. kiwinho
  164. graphix
  165. jerestate
  166. centro
  167. corage
  168. Reporter
  169. TheTravelTheme
  170. XSBasico
  171. openhouse
  172. seosurfing1
  173. bluebaboon
  174. Newspro-2.8.6
  175. nd
  176. zoralime
  177. GrupoProbeta
  178. eBusiness
  179. purplex
  180. kitten-in-pink
  181. FashionHouse
  182. WhosWho
  183. Deviant
  184. Bold
  185. BusinessCard
  186. EarthlyTouch
  187. GrungeMag
  188. LightSource
  189. Simplism
  190. TidalForce
  191. Glow
  192. Influx
  193. StudioBlue
  194. jpmegaph
  195. redina
  196. tritone
  197. dandelion_v2.5
  198. Bluesky
  199. ColdStone
  200. silveroak
  201. newspro
  202. GamesAwe
  203. caratinga.net
  204. SimplePressTheme
  205. MyResume
  206. MyApp
  207. theme
  208. bigcity
  209. dandelion_v2.6.1
  210. chronicle
  211. cuizine
  212. thesis_18
  213. advanced-newspaper_new
  214. Event
  215. wpbedouine
  216. rt_affinity_wp
  217. arry12
  218. backup-TheStyle
  219. ExploreFeed
  220. zzzzzzzzz
  221. Bluemist
  222. Hermes
  223. cleartype_v1.0
  224. polariswp
  225. Chameleon 1.6
  226. sniper
  227. adena
  228. ariela
  229. FreshAndClean
  230. wp-creativix
We are pretty sure these lists are not complete, it’s very probable that other themes and plugins are affected.Because there are so many plugins and themes vulnerable, we expect a high number of people to be affected by this vulnerability. Please check your site/blog security and spread the word around.
Share this post
  • I also found it in the FreshAndClean and wp-creativix themes, FYI.

  • Wow… Such a big vulnerability issue. 🙂
    Thank you for sharing this information.

  • There seems to be multiple versions of timthumb, out of which some don’t seem to be afftected.
    Could you post the md5sum of the affected versions?

    these are the md5sums of files I found to be afftected ..

    – cfdc880c1f7b940e645e6b79ac4e5c79
    – 5b5feeedda04c20f7a2755029c720f01

  • @Joel.re Yes, there are many versions and variants of timthumb. Just because some plugin/scheme includes timthumb it doesn’t mean that is vulnerable. I’ve seen timthumb versions that don’t include the allowedSites functionality. In the beginning we’ve been thinking to make a list of md5/sha1 hashes and look for those but we quickly realized there are too many variants on the net.

    Therefore, we didn’t use hashes. We’ve built a script that will search PHP files for the vulnerable code and report those matching.

  • This vulnerability is a big one. I work for a medium sized hosting company that implemented mod_security rules to prevent this attack, and our logs show they’re blocking hundreds of separate attempts a day to exploit this.

    The mod_security rules are available here if others want to use them: http://blog.tigertech.net/posts/timthumb/

  • Thanks for MS rules Robert.
    BTW, some plugins and themes are renaming timthumb.php to thumb.php. You could adjust the first rule to include that.

  • Good advice — our logs show some exploit attempts on just “thumb.php”, too. Those are still stopped by the second rule, but we’ve modified the first to match “thumb.php”, too. Thanks!

  • Hi,
    please exclude shortcodes ultimate from list of affected plugins.

    It has updated and secure script from 3rd version.

    Thanks!

  • What if hackers will use this list to find vulnerable plugins and themes?

    • @rabbit: Yes, that may happen. This information, like many others, can be used for good or bad. However, I think it’s more important to inform the people that have vulnerable themes and plugins to fix their sites as soon as possible.

  • Man am I way late on finding this. I had two of my sites get hacked because of this. Thanks for the information. I’m installing WebsiteDefender WordPress on my sites today. Wish I would have found this out earlier. 🙁
    Fred

  • I don’t know how to say thanks..I have installed the timthumb scanner and removed the out dated plugin.Great article…

  • Thanks for this article, very informative…I had 5 sites hit with this over the past week and for sure it was TimThumb…the plugin vulnerability scanner fixed it…

  • Leave a Reply

    Your email address will not be published.