Uncategorized

Can I Just Replace My Old timthumb.php File With the New Version?

September 1, 2011   ·   By   ·   6 Comments   ·   Posted in Uncategorized

First things first: Yes, you can just replace your old timthumb.php file with the new version of timthumb, found here. If that’s all you were after, move along – if you want a little more explanation, read on:

With all of the hubbub around the recent timthumb vulnerability, lots of people are looking for some easy instructions on how to get it taken care of. You should be, because I’ve cleaned up more hacks in the past 2 weeks related to this vulnerability than I have in the last 2 months – people ARE getting hacked due to this.

Unfortunately, if you’re not totally comfortable with code, upgrading this file can be a little scary. Good news, I’m here to help.

How do I know if I’m using timthumb?

This one isn’t too hard – the easiest way to figure this out is to use a scanner of some sort to search your server for the timthumb script. I’ve written a timthumb scanner that runs as a WordPress Plugin – you can find that here.

If you’re not comfortable with that process, you might be able to just give your blog a once over and figure it out yourself. Are you showing thumbnails on the homepage? If so, you might be using timthumb. Right click one of the thumbnails, and click “open image in new tab” (or the equivalent – that’s what it says on chrome on a mac).
In the new tab that opens, check out the url bar – does it say timthumb.php anywhere in the url (check the text right before the question mark, if there is one)? Note – this might also just say “thumb.php”

How do I know if my timthumb script is vulnerable?

Fortunately, this one is pretty easy. Open up the file in the wordpress theme editor, or using FTP (it’s probably in your theme directory, called timthumb.php or thumb.php – the previous step should tell you that). Look for this code, near the top:


// external domains that are allowed to be displayed on your website
$allowedSites = array (
	'flickr.com',
	'picasa.com',
	'blogger.com',
	'wordpress.com',
	'img.youtube.com',
	'upload.wikimedia.org',
);

// STOP MODIFYING HERE!
// --------------------

To clarify (or make things more confusing): If you see this:

// If ALLOW_EXTERNAL is true and ALLOW_ALL_EXTERNAL_SITES is false, then external images will only be fetched from these domains and their subdomains. 
if(! isset($ALLOWED_SITES)){
	$ALLOWED_SITES = array (
			'flickr.com',
			'picasa.com',
			'img.youtube.com',
			'upload.wikimedia.org',
			'photobucket.com',
			'imgur.com',
			'imageshack.us',
			'tinypic.com'
	);
}
// -------------------------------------------------------------
// -------------- STOP EDITING CONFIGURATION HERE --------------
// -------------------------------------------------------------

You’re ok. $allowedSites = Bad, $ALLOWED_SITES = Good. For another way to check, if you look up near the top of the file and see this:

define ('VERSION', '2.8');										// Version of this script 

You’re good. Version 2.0 and greater are safe to use.

If it doesnt look like you’re using the right version, it’s time to clean it up!

How do I fix it?

400 words later, we finally get back to the question posed in the title. Can I just replace the old, vulnerable code with new, safe code, and have everything still work? Yes, you can.
From the previous step, you’ve got the file open in your WordPress theme editor. All you need to do is replace the entire contents of the file with the code found here:

http://timthumb.googlecode.com/svn/trunk/timthumb.php

Save the file, and you’re done! Your thumbnails still work, and you can sleep a little easier at night.

Plug Time: I do this service for subscribers to my WordPress backup and security monitoring service – so if you’re not sure you want to take it on yourself, have a look here. If you just have a question, or need some guidance, I’m happy to give that away for free. Get in touch with me at peter@codegarage.com. Good luck!

6 Comments
  1. When I replaced timthumb with a newer version my images were not sized correctly. Is there any way to secure my page without ruining the layout?

  2. People and especially theme developers should know about WPThumb. Way better then TimThumb IMHO. Check it out on GitHub here: https://github.com/humanmade/WPThumb

  3. Hi Peter,

    Someone suggested deleting the cache folder in your theme files because some bad scripts disguise themselves as pictures. It this a good idea or would it help? What’s the danger if any of deleting the cache?

  4. Hi there,

    Thanks for the information…..I have manually uploaded the timthumb.php file to a clients blog, but I would like to know how to fix the error of the timthumb scanner plugin I am getting, so that the plugin can scan regularly for further updates.

    When I run the scan, the result page begins to load but then is blank except for the message: Akismet is almost ready. You must enter your Akismet API key for it to work.

    If I open the scanner page again it still says the scan appears to have not been run yet.

    Any ideas?

    -Francois

  5. Hi Francois
    try go to akismet website and ge the api to akismet and then after instaling the api try run the cript again
    or instead deactivate the akismet plugin as if you dont add the api there is no reason for it to run

Submit a Comment