Plugin Releases

WordPress Timthumb.php Vulnerability Scanner Plugin

September 2, 2011   ·   By   ·   133 Comments   ·   Posted in Plugin Releases, Security, Wordpress

Over the past few weeks, I’ve been absolutely inundated with requests to clean up hacks that have exploited the much publicized Timthumb.php vulnerability. I have to assume that the reason most people aren’t plugging up this security hole on their sites is either

  1. They don’t feel confident in their ability to find the problem
  2. They feel like the process to fix it is too complicated

To combat this, I took a couple of hours this morning to write a plugin that will do the dirty work for you. The WordPress Timthumb Vulnerability Scanner will check your entire wp-content directory (including all themes, plugins, and uploads) for any vulnerable (pre-2.0) instances of the timthumb script, and give you a one-click upgrade to upgrade each script to the latest, secure version.

The process is simple:

  1. Download the plugin here:
    http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/
  2. Install and activate using either FTP, or the built in WordPress uploader
  3. Go to the “Timthumb Scanner” page, under the “Tools” menu

  4. Click the “Scan” button.

  5. View your scan results

    In this case, I’ve got one vulnerable (outdated) file, and 2 that have been updated, and are safe. I’m going to want to upgrade that one vulnerable file – to do that, I just need to hit the “Fix” button next to it.
    You may not have any instances of timthumb on your site, or all of yours may be upgraded – if so, you’re all done!
  6. After hitting “Fix” for my one problem file, I’m showing “No Vulnerabilities Found”, which means I’m all set.

Just like that, you’re done. Quick and painless.

Note: If you’ve already been hacked, this will NOT clean up your site. This plugin fixes your door lock – which doesn’t matter if the burglars are already in your house.

Let me know of any problems or questions you have in the comments.

Good luck!

EDIT
Looking for a solution to scan a whole server, or a site not running on WordPress? By sort-of-popular demand, here it is:
http://codegarage.com/plugins/timthumb-full-server-vulnerability-scanner.zip
It’s much less polished, and much less tested, so use at your own risk.

133 Comments
  1. Thanks a million for this. I can’t believe you offer it for free. It saved me so many headaches on my blogs!

    • Glad you like it, Vic. Thanks!

  2. thanks for releasing this plugin – really help us as a blogger. great plugin, work and scan easily and the result for my site is “Vulnerable Timthumb Files: No Vulnerabilities Found! ” :)

  3. The plugin scan says I need to fix the timthumb in your plugin… I get this message on my windows server 2008 R2 hosted sites—-
    Vulnerable Timthumb Files:

    Fix cg-tvs-filescanner.php (found at C:\inetpub\YourDomain/wp-content/plugins/timthumb-vulnerability-scanner/cg-tvs-filescanner.php)

    Does this have anything to do with write access to a directory?

    • Hey Marc –

      This probably has to do with the fact that it’s a windows server you’re working on, and the paths I have set up aren’t working quite right. I’m not sure what advice to give, as I don’t have access to a windows server to test on. I can say this though: You definitely don’t need to fix the version included in the plugin.

  4. After running your script, our site crashed:

    A TimThumb error has occured

    The following error(s) occured:
    No image specified

    Query String :
    TimThumb version : 2.8

    We can’t even get in to wp-admin, and attempts to manually roll back the impacted files have not helped. Any suggestions?

    • Kyle got in touch with me, and we got his problem sorted out. It looks like there was a conflict with the “Category Icons” plugin. I’ve fixed this for version 1.2 – but if you’re using version 1.1 and you see a vulnerable file with “category-icons” in the path, don’t hit “Fix” on it.

  5. Having same problem as person above and have not got that plugin installed. The timthumb was in a theme folder. Have emailed you!

  6. hiya peter and thanks, but…

    a/ there’s no mention of multisite compatibility

    and

    b/ i’m most surprised *from a quality coder like YOU* that there’s no version number on the zip file -or- in the readme.txt file :-(

    looking forward to your comments

    sarah

    • Hey Sara –

      I appreciate your assumption that I’m a “quality coder”. Makes me feel warm and fuzzy inside. I’ll have to work on that readme.txt file.

      I havent tested it with multisite myself, but I’ve heard from a few people who have, and they’re saying good things. I think it should work without a hitch, but I’ll try to give it a whirl tomorrow morning. In the meantime, if you’re feeling ambitious, you might try it yourself and post what you find here – it would be greatly appreciated!

  7. ps: http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/download/ states that v1.1 is the latest release!

    i know things are moving fast, but under the circumstances i’d have thought WP.org would have worked closer with you

    thanks again

    s

    • The WordPress.org repository only updates about once a day (I think), and I just missed the cutoff with 1.2 this morning. It should show up tomorrow morning.

  8. It’s a great plugin, but after run it on my site it crashed. There is a problem with wp-thumbie plugin. The whole admin area was out.

    • Hey Carlos –

      Thanks for downloading the plugin, and I’m sorry you ran into problems with it! I’ve had reports of this happening with a few specific plugins and themes, and I think the 1.2 update (which should show up tomorrow) should fix the problem. I’ll check that specifically first thing tomorrow morning.

      In the meantime, if your site is inaccessible, try re-uploading wp-thumbie to your site via FTP – that should solve hte problem (if you haven’t solved it already).

      Thanks!

  9. hey again!

    having watched your video – twice – and reading your comments/replies, i’ve no doubt whatsoever that you are indeed a ‘quality coder’!

    thanks for the positive feedback :-) i look forward to knowing exactly what version i have (either by the file name -or- at the top of the readme.txt document :-) )

    please keep up the AMAZING work – the wordpress community needs peeps like YOU!

  10. Thank you very much for this plug-in!
    I’ve postponed fixing this bug on my site after a warning from my theme-maker. Thanks to your plug-in it was easy to check (and fix if needed)!

  11. Irene

    Hi there,

    I was hacked – all of my sites where infected, so I am now working hard to have them all online very soon. I wish I had this tool a bit earlier – would have saved me alot of time. But ok – I am glad we now have a plugin to control and hope, this will never happen again.

    Habe a nice day
    Irene from Germany

    • Sorry to hear you got hacked, Irene! If you need any help getting back up and running, drop me a line.

      Good luck!

  12. Little did I know this vulnerability existed in a plugin and my site’s theme. And when I knew about this plugin, and how it could fix the nasty loophole, I wanted to thank the creator of this plugin. So, here I am, thanking you for this wonderful plugin. :)

    There were two vulnerabilities found and fixed! I guess that was pretty easy. :)

    • Glad it worked out for you Sid! That’s the tricky thing about this vulnerability – you don’t realize that it’s hiding in old themes, plugins that you wouldnt dream included it, or even your current theme. Glad everything worked out for you!

  13. Piet

    I thought I had it all covered, but your plugin found some timthumb files deeply hidden in an old theme. Now those are repaired so no more worries about getting hacked.
    Thanks Peter!

    • Glad to be of help, Piet!

  14. Thank you so much for making this plugin. I have bookmarked your site as the service you are offering looks very good and it is clear that you know what you are doing by making a plugin like this.

    Thanks again.

    • Thanks, Matt! If you have any questions, don’t be afraid to send me an email.

  15. Thanks so much for providing this plugin! It seems to work great, though I did find that it fails to see one instance of TimThumb. It doesn’t seem to scan inside the functions folder in a theme folder. In the case of WooThemes themes, they have moved thumb.php into the functions folder. Scanning a few WooThemes sites, it doesn’t detect v2.8 of TimThumb existing in the functions folder. :(

    • Hm- While it’s not a huge deal if it’s version 2.8, it SHOULD still be found, and plced in teh “Safe files” list. I’ll see what I can find out.

      • If you need more info, feel free to e.mail me. And yeah, the file is safe, I just didn’t get the warm and fuzzy feeling that the scanner didn’t tell me it was safe. Would like to know that the scanner truly is looking at everything under wp-content. :)

      • Any update to this? It’s still happening. :(

  16. Peter, I notice that all of the screenshots of this plugin only find the file if it is named timthumb.php yet many of the affected copies were renamed by theme and plugin developers to be everything from thumb.php to icons.php and more. Is this actually scanning at the code level for ALL files or is it only content scanning for those files that are named timthumb.php which would create a false sense of security? Also is the plugin actually reading for the vulnerability itself or only looking at the versioning? For example Thesis uses a very old copy of timthumb that was BEFORE the vulnerability was introduced and is not affected. Is this plugin going to report that as safe or vulnerable?
    Kim

    PS: Subscribing to comments by email, look forward to following up with you.

    • Hey Kim –

      The plugin doesn’t pay any attention to filenames – what it’s actually looking for is the “credit” string that has been included in every version of timthumb for a long, long time (there are actually a few versions of this string, the plugin checks for each of them. Once it finds a file that contains a version of that particular credit string, it starts looking for a “Version” string that has veen included since version 2.0. If that string is not found, or it is found, but shows before version 2, it is flagged as vulnerable. So – Yes, you’re covered even if the theme has renamed the file something other than “thumb.php” or “timthumb.php”.

      HOWEVER – If the theme/plugin has taken that credit string out, or modified it, it won’t be caught. I’m not too worried about that for a couple of reasons:

      1. Timthumb is designed to run as a standalone script. I can’t think of any good reason to modify it (Ok – one good reason would be to fix the security vulnerability – but if someone had done that, they’d ahve alerted the community to what they found, and how to fix it, I hope).
      2. Removing credit links for code you got for free, and are using for something you are distributing, is low. Really low. Maybe illegal. Most people are better than that.

      So: Are there hypothetical situations that the plugin could be missing versions of timthumb? Yes. Maybe they even exist out there – but I haven’t actually seen one yet. If you do have one, (or if anyone reading this has one) that you think is vulnerable, but is NOT getting flagged by the scanner, please send it to me – preferably along with the rest of the theme, and I’ll have a look and see what changes could be made to catch it.

      Oh – and to anser your original question: The vulnerable code was introduced at some point after timthumb’s inception – I havent looked at exactly when. However – the scanner doesn’t look for the actual specific vulnerability, as it’s easier to just try to figure out the version, and assume that versions earlier than 2.0 are vulnerable. So – in your case, that file from thesis SHOULD be flagged as vulnerable (even if the offending code – the $allowedSites variable – is empty, or doesn’t exist). Technically this is flagging files that don’t necessarily have to be upgraded, but I’d rather run the risk of having too many people upgrade than too few.

      One other thing – I’ve never really used or tinkered with TimThumb in it’s normal capacity, so my statement above (no one would have a real reason to modify the script) could be totally wrong – I don’t really have the experience to say so definitively. If you have evidence to the contrary, preferably with examples, please let me know.

      • Peter,

        Just sayin… you’re brilliant. Those are basically the answers I was hoping for and I’m excited to share this on my blog etc with my community. Thank you for taking the time to put this together, its going to save a lot of people a lot of headache.

        Kimberly
        PS: Should see a blog post from me either end of this week or beginning of next week.

  17. Greg Dyer

    Hi – Great plugin – Thanks!

    I do get this before the scan –

    Warning: array_merge() [function.array-merge]: Argument #2 is not an array in /home/everyt27/public_html/blog/wp-content/plugins/timthumb-vulnerability-scanner/cg-tvs-filescanner.php on line 32

    Warning: array_merge() [function.array-merge]: Argument #1 is not an array in /home/everyt27/public_html/blog/wp-content/plugins/timthumb-vulnerability-scanner/cg-tvs-filescanner.php on line 32

    Can you advise?

    • Hey Greg –

      It took an awful lot of squinting, but I think I found the source of your problem: On line 25 of that file (timthumb-vulnerability-scanner/cg-tvs-filescanner.php), you should see something like this:

      if(!$dir_handle = @opendir($path)){
      $this->Errors[] = "Couldn't open $path";
      return false;
      }

      Try changing that to this:

      if(!$dir_handle = @opendir($path)){
      $this->Errors[] = "Couldn't open $path";
      return array();
      }

      Doing that should get rid of your warnings, but there’s a greater problem here: this is happening because the scanner can’t read all of the directories in your wp-content folder. If it can’t read them, it can’t scan them.

      The bright side is: If your permissions are set in a way that won’t allow the scanner to even read the files, the timthumb hack PROBABLY won’t work on your server. Lots of speculation in those sentences, so to be sure, it would probably be worth glancing through your wp-content directory to see if any timthumb installations exist.

  18. Can’t thank you enough for creating this plugin – simple to use & it works…can’t ask for more really!
    I was vulnerable so glad I used this…

    • Glad to hear it helped, Jaqueline!

  19. Ran this on my test server to test it out, and it bombed with lots of errors that say “Warning: preg_match() [function.preg-match]: Compilation failed: unknown property name after \P or \p at offset 28 in C:\wamp\www\wp\wp-content\plugins\timthumb-vulnerability-scanner\cg-tvs-filescanner.php on line 81″ and then one final one that says “Fatal error: Maximum execution time of 30 seconds exceeded in C:\wamp\www\wp\wp-content\plugins\timthumb-vulnerability-scanner\cg-tvs-filescanner.php on line 8″

    • Hey Donna –

      I can’t say specifically what is going on there, but my GUESS is that it has something to do with your being on a windows server. It looks like you were testing it on Wamp locally – is your live site running on a windows server as well?

      I don’t have access to a windows box here to test with unfortunately – so I’m not much help. If anybody else has access to a windows server, and either the ability to debug the issue yourself, or willingness to test it out along with a few patches for me, get in touch!

      • Yep, running on localhost via wamp. My sites are on linux servers, so at some point tonight, I’ll run it on one of them and see if it has the same problem or not.

      • Ok, ran it on live sites (linux servers), and it ran fine. Thanks!

      • Glad to hear it worked for you Donna.

        I’m still anxious to get it fixed for windows servers, so if anyone has the requisite skills and access to a windows box, get in touch. Thanks!

  20. Thanks for your diligence! This has saved me and many others a lot of grief.

  21. Hi,

    My site got hacked and tried to fix them myself after. I tried to use this plugin and I got these messages:

    Warning: Cannot modify header information – headers already sent by (output started at C:\Inetpub\vhosts\domain.com\httpdocs\wp-admin\admin-header.php:34) in C:\Inetpub\vhosts\domain.com\httpdocs\wp-content\plugins\timthumb-vulnerability-scanner\cg-tvs-filescanner.php on line 410
    A TimThumb error has occured

    The following error(s) occured:
    Could not create the file cache directory.

    Query String : page=cg-timthumb-scanner
    TimThumb version : 2.8

    What should I do? I don’t have any good knowledge with codes.

    I need help please, any suggestion to fix my problem? :(

    • Ice, I’m not familiar with Windows server environments, so I can’t really help you too much.
      Are you seeing this on every page, or just when you try to run the scanner? If it’s every page, send me an email at peter@codegarage.com, and I’ll help you get it sorted out.

      • Hi Peter,

        Thank you for your reply. The problem only appears when I am running the scanner.
        Let me know if you want to check it out so I could give you the login details of the site or even the control panel.

        Best regards,
        Karl

      • Hi Peter,

        I’m also experiencing the same problem as Ice – did you get this resolved for him?

        Thanks,
        Jon

  22. Hi there,
    Thanks for this plugin! It’s worked on many of my sites and is wonderful! But now I’m getting this error message when I click Scan:

    Parse error: syntax error, unexpected T_STRING, expecting T_OLD_FUNCTION or T_FUNCTION or T_VAR or ‘}’ in /home/fungsh2/public_html/brightbodyfitness/wp-content/plugins/timthumb-vulnerability-scanner/cg-tvs-filescanner.php on line 5

    Don’t know what I need to fix in the file. Can you help? I’m running on WP 3.1 and using Thesis 1.8. (can’t update WP to 3.2.1 as my host is running PHP 4.4.9 and not higher.

    Thank you!

  23. I have a single shared hosting account with possibly 200 timthumb files scattered across hundreds of WP installations. Do you know of anyone that has modified this script to search a wider range of directories?

  24. Hi Peter,

    Thanks for this plugin. I implemented this in my (attached) website, but could not perceive any threats. I know for sure that the blog has been hacked (I can see external links in the page source, but I never put them in). Could you suggest what I could do? I used Timthumb scanner. Interestingly, I checked my files in hostgator, and I don’t have timthumb.php or thumb.php in my folders.

    Much appreciated!

    • Neeraj, Unfortunately, this particular vulnerability is not the only way that hackers can gain access to your site. It sounds like you got hacked by other means.

      If you need help getting your site cleaned up, send me an email (peter@codegarage.com), and we can talk about your options.

  25. If you lived next door, I’d bake you guys free bread for life. As a faux techie, I’ve been pulling my hair out over the Tim Thumb thing for a couple weeks now. Thanks a million!

  26. Hi,

    Thanks for the plugin. Had to fix quite a few problems. Hope no damage was done.

    Nik

  27. It would be nice if we could use add_image_size in the same fashion, but that only impacts images uploaded after the fact… with the dynamic resizing we can set the sizes at any time….

  28. Hi, love the idea of this, but when i hit scan, NOTHING happens. Any idea why ? thanks

  29. Fix for version 1.3 to make this plugin work on Windows servers. Tested on a WAMP installation.

    http://pastebin.com/fz0ZWjzK

  30. Peter,
    Thanks very much for this. The scanner just updated itself and upon re-scanning, found the culprit. A client website is now running beautifully. Just got to get them to flesh it out now.
    Thanks again
    John

  31. Hi there

    I LOVE this plugin (assuming I’m all clear!!! ;o)

    I manage to run it fine and it comes up with the problems fine but it also list these 2 as vulnerable also

    cg-tvs-filescanner.php the path is listed as /wp-content/plugins/timthumb-vulnerability-scanner/cg-tvs-filescanner.php

    class-cg-tvs-filescanner.php the path on this one is /wp-content/plugins/timthumb-vulnerability-scanner/class-cg-tvs-filescanner.php

    One one site for example I had these 2 and 3 other files identified. Upon checking the box on all 5 I got an error ;o( However, if I did not check the boxes on the 2 above the others were fixed fine.

    SO – my questions is whether the 2 above are actually part of your plugin and ok? If not then do they pose any risks not being “fixed” as they say?

    I am on a windows server if that helps?

    thanks for your help!!!!

  32. Great plugin, works like a dream and works like advertised. What a useful time saver.

    Thanks for the hard work!

  33. WOW!! Thank you so much for this!! I’m just a beginner with all of this stuff and your plugin saved me a bunch of time and I can move on with my site development with the peace of mind knowing my timthumb is up to date!!

    THANK YOU!

  34. Hi there,

    I instaled your plugin but he gives me the next error when I run the website scan.

    “Warning: preg_match() [function.preg-match]: Compilation failed: unknown property name after \P or \p at offset 52 in E:\inetpub\vhosts\nutratec.pt\httpdocs\wp-content\plugins\timthumb-vulnerability-scanner\class-cg-tvs-filescanner.php on line 46″

    Can you help me?

    Thanks

    JD

  35. Question — why does the plugin not realize the latest version is 2.8.4?

  36. It appears that 2.8.5 of TimThumb is out now though Timthumb Scanner states that 2.8.4 is the latest. I’m also having an issue where 2.8.2 is detected as out of date, and when I select the files to be upgraded, though the plugin states that they are updated, they aren’t [a refresh of the page confirms that, as does looking at the actual files themselves]. Screenshot: https://skitch.com/vjl323/gwuka/timthumb-scanner

  37. TimThumb use “base64_decode”?

    http://i.imgur.com/kN6aV.png

  38. I had 2.8.4 of TimThumb installed, and used this Scanner Plugin to update to 2.8.5, but it actually downgraded me to 2.8.2? Am I missing something?

  39. Hello. I get this message when scanning: Warning: Invalid argument Supplied for foreach () in / home / go / public_html / wp-content / plugins / vulnerability-scanner-timthumb / class-cg-tvs-plugin.php on line 115

  40. luchosar

    Aparece este mnensaje:
    Warning: Invalid argument supplied for foreach() in /home/fsagroco/public_html/wp-content/plugins/timthumb-vulnerability-scanner/class-cg-tvs-plugin.php on line 115

  41. Hi Peter. Using 2.8.8, I am getting this error after scanning:

    Warning: Invalid argument supplied for foreach() in /home/myuser/public_html/wp-content/plugins/timthumb-vulnerability-scanner/class-cg-tvs-plugin.php on line 115

    Thoughts?

  42. I always get the error message
    “2 vulnerable Timthumb files found. Fix them here.”

    The files are:
    /wp-content/plugins/timthumb-vulnerability-scanner/cg-tvs-filescanner.php
    /wp-content/plugins/timthumb-vulnerability-scanner/class-cg-tvs-filescanner.php

    Fixing them produces the following further error:
    File cg-tvs-filescanner.php at /wp-content/plugins/timthumb-vulnerability-scanner/cg-tvs-filescanner.php successfully upgraded.

    File class-cg-tvs-filescanner.php at /wp-content/plugins/timthumb-vulnerability-scanner/class-cg-tvs-filescanner.php successfully upgraded.
    A TimThumb error has occured
    The following error(s) occured:

    No image specified

    Query String : page=cg-timthumb-scanner
    TimThumb version : 2.8.9

    WordPress version 3.3.1 on a Windows Server

    It is odd to see vulnerability on the plugin itself? What should we do?

  43. FYI, the “Warning: Invalid argument supplied” is only happening when the scanner can’t find any instances of TimThumb on the site.

  44. Hi Jason,

    Yeah I get that very same issue across all of my sites (approx 20 at the moment)

    I’m not certain but I am thinking this is a common error (although the timthumb files other than those listed above) appear to get updated fine.

    I do however once I hit that problem you mentioned find it does not then allow another scan without throwing up the same error again.

    ;o(

  45. I’m getting this error when trying to SCAN:

    Warning: Invalid argument supplied for foreach() in /home/leadersh/public_html/wp-content/plugins/timthumb-vulnerability-scanner/class-cg-tvs-plugin.php on line 115

    Looks like a must-have plug-in, so appreciate your help!
    :D

    • Hey Damien –

      This is a harmless, but annoying error – it just means you don’t have any timthumb instances on your server. This bug is fixed as of version 1.52.

      Thanks!

  46. I’ve just installed your fantastic plugin on one of my client sites and am getting the following error message when I try to run a scan:

    Warning: Cannot modify header information – headers already sent by (output started at /home/redwood/public_html/wp-admin/includes/template.php:1657) in /home/redwood/public_html/wp-content/plugins/timthumb-vulnerability-scanner/class-cg-tvs-filescanner.php on line 424
    A TimThumb error has occured

    The following error(s) occured:
    Could not create the file cache directory.

    Query String : page=cg-timthumb-scanner
    TimThumb version : 2.8.5

    Do you have any ideas as timthumb was working fine until I ran this scanner, and i have used it on lots of other sites.

    I look forward to hearing from you soon. Shoot me an email and i’ll send you the URL of the website in question.

    thanks,

    Scott.

  47. Hi. I ran the plugin and now I get

    A TimThumb error has occured

    The following error(s) occured:
    No image specified

    Query String :
    TimThumb version : 2.8.5

    I need to fix this asap – please help!

  48. Luis

    I wish to make the plugin stop yelling that in my blogs there are “2 vulnerable Timthumb files found.”
    The two Timthumb scripts are safe and updated, so how to stop this annoyance.
    The problem is that it may happen that anytime in the future it will show 3 instead of 2 and I will ignore the advice.

    • Which files are being flagged? is one of them cg-tvs-filescanner.php, or something similar?

      • Luis

        The files are:

        2.8 timthumb.php /wp-content/plugins/verve-meta-boxes/tools/timthumb.php
        1.09 thumb.php /wp-content/themes/aladdin/lib/scripts/thumb.php

      • Luis

        Sorry my bad, the second one is not from Aladdin theme but Thesis theme. It should read:

        1.09 thumb.php /wp-content/themes/thesis_183/lib/scripts/thumb.php

      • Luis

        No solution to my problem?
        Any suggestion?
        If the plugin checks version number, may I include a version number in my safe scripts?

  49. Hi Peter. I can confirm that the “Invalid argument” is resolved in 1.52 — many thanks for your continued support for this plug-in!!!

    - Scott

  50. Thank you for this plugin. I have installed it on 5 WP sites and no hassles as yet. I even found out about your locker service and have had client sign up for this service.

    I just had a site hacked with this vulnerability and it took 2 days or more to work it all out but feel safer now.

Submit a Comment