Skip to content

TimThumb 2.0

Ok – so – TimThumb. I am sure many people have seen this already but some code exploits were recently discovered in TimThumb. Now that everything is under control once more I thought I would explain what happened and what is going to happen in the future.

The exploit that was found was a bug with the external image resize functionality and the fact it could be used to download and execute files. There was code in place that restricted the downloads to a whitelist of clean sites, but it wasn’t strict enough and so a hole was found that could inject php onto your server.

I found the bug myself on Friday the 29th, when my own site was exploited, so I promptly started work closing up the hole. On the following Monday the exploit was announced by Mark Maunder and I got more help with hardening up the security in the script. On Thursday Mark, the person who had announced the exploit, released a total rewrite of the script – and on Friday 5th of August we joined forces to release TimThumb v2.0 – a total rewrite.

TimThumb 2.0

TimThumb 2.0 is a total, ground up, rewrite – written with security in mind from the start. There have been a whole heap of improvements to security making this the strongest TimThumb release ever. In addition the code has been remade in an object oriented fashion, and there have been some new features added that will hopefully make the script even more popular than before.

If you hadn’t guessed already this update is a required one. If you haven’t updated already then download the TimThumb code from Google Code and update your sites now.

The Future

Mark has said he will continue coding TimThumb, and we are now in talks with the WordPress team about integrating similar things into the WordPress core. We’re not sure how the functionality will work, whether a plugin, core plugin, or just including TimThumb itself – however it looks likely that the code will be brand new, utilizing WordPress core features.

Share

40 Comments »

  1. I never thought that it will be very dangerous. I even more afraid when I read that Mark Maunder blog. Thank you for making TimThumb update to 2.0 version and make it has new features.

    Now downloading.. :cool:

    cheerss

    • I have always been conscious of security – hence my reluctance to allow any domain, however it seems I wasn’t strict enough. I’ve learnt a lot from this experience – and TimThumb 2 is looking fantastic :)

  2. Hey Ben,

    Good to hear the updates on this. I, personally was a bit sad looking at how the issue was too much hyped. I’ve always admired how the timthumb has been an integral part of the themes we’ve developed so far and how useful it has been.

    It’d be a dream come true if timthumb becomes an integral part of the WordPress code. The only thing that bothers us at the moment is the cache folder permission :)

    Once it gets into the WP core, there’s only good thing ahead.

    • I’ve been really proud of TimThumb and plan to continue using and maintaining it for some time. The demo Mark has put together for WordPress itself is very clever but I don’t think it approaches the flexibility of TimThumb itself – at least not in it’s current state. Hopefully with the might of WordPress behind it we can get something better working.

  3. Thanks for the timthumb update.
    We’ve tried to implement it on some of our multisite installation blogs and found a few errors we can not solve. We are having issues related with the site root being a symlink (some of the new security checks don’t work) and/or with the fact that we have a constant that moves the uploads folder to a different name (“uploads_xxx”).
    All seem related with behaviour of the realpath php function but we had to give up… I’ll try to include them in your issue tracking but it seems down at the moment (!). You can email me if you want concrete details.

  4. Thanks for the prompt response but don’t think this is the case. I should have clarified we are not using MU or networked standard WP. We have a small patch to share a base dir with different confs that so far has never affected any libs or plugins including different versions of timthumb working great on some of the themes.

    I have posted and issue which hope clarifies and is of help.
    http://code.google.com/p/timthumb/issues/detail?id=236

    We so far have downgraded to a previous version.

  5. Thank you for putting in the time and effort to rebuild for the benefit of everyone else. One of the sites I run was hacked through that exploit, and its really pretty awesome that you’ve got a patch for it up within a couple weeks. Great work.

  6. Since i use timthumb (lastest version) i cannot use cloudflare anymore because cloudflare is not able to cache the images.

    Any suggestion to fix this situation?

  7. I am curious if you have considered making the core of TimThumb into a wordpress plugin, and then just changing timthumb.php so that it calls a function in the plugin.

    This would make it very easy to distribute updates for the code, as well as make it possible for clients to do this without having to do a theme update.

    Thanks!

    Mike

    • Thanks for the comment. I agree that this would make things simpler in terms of updates, but it would also rely on people integrating support for the plugin in their themes, and on users downloading the plugin and updating it when there are updates. All those things combined, IMO, will keep us in the same place we are in currently. The best solution would be for WordPress core to get something similar integrated (either TimThumb itself, or some custom code).

  8. Since i use timthumb (lastest version) i cannot use cloudflare anymore because cloudflare is not able to cache the images.

    Any suggestion to fix this situation?

    Please i need help if i activate cloudflare the images are not cached so are not showed!

    Please give me some help with this!

  9. Hi, for us non tecchies please tell us how to update our sites, step by step please?
    I’ve found the timthumb.php file in my site but what do I do next? I’ve seen the code at http://timthumb.googlecode.com/svn/trunk/timthumb.php but it’s full of scary talk about editing configurables and says nothing about what to do with the code. I’ve no idea what configurables are used by the plugin that uses timthumb and I don’t know what to do with the code. If I paste it into the timthumb.php file in my site will that do? But what if there are configurables in that file and this one overwrites them…
    Guidance would be really appreciated as my web host is about to shut all my sites that use timthumb unless I fix them straight away!

    • It s a drop in replacement. Don’t worry about configuring things. Just replace the existing file with the new one and you’ll be up to date.

  10. Hi,

    I used Timthumb in many projects.
    On fast server everything is OK. No problems at all. (See http://www.hotelraya.it/photo-gallery.php)

    On slower ones (customer have cheap server sometime…) I have unpredictables broken images.
    See http://www.adelina-panarea.com/ or http://www.batik-mirinvento.it/la-galleria.php?galle=quadri&dida=quadri

    It seems that is a (random) Mime Type recognization issue. At every refresh thumbnails shown or not changes.
    I look around on the web and I can’t find a solution.

    Any help?

    Thanks

    Simone

  11. Is timthumbs 2.0 the latest version? I was worried about hacking through timthumbs issues. But I have tried timthumbs and totally amazing function. But i think use it with a limited images to have a faster page load.

    • Hi – TimThumb is currently on version 2.8.3 I think. Make sure to keep it up to date through Google Code as this always has the latest version.

  12. May I know that will Cloudflare cache the timthumb images? Because I realize that the extension of images generated by timthumb is not .jpg/.gif./png anymore.
    Thanks

  13. Hi Ben

    i am having trouble with timthumb and contacted my hosting provider first

    they tell me that WordPRess is done via the Application Vault the WordPRess install is actual in /webspace/siteapps/34466/htdocs and

    timthumb is looking in the directory /webspace/httpdocs/crgroup.ie You will need to find the config file to for timthumb to change

    i am not familiar with the tech side of php

    what would i enter into the timthumb-config.php to make the change

    thanks

    Trevor

  14. Hi Ben,

    While I was working on trying to get timthumb working on a cdn I noticed the update on the php program. I also noticed the size difference between the files. I’ts 4 times the size of the previous one, is there any way to strip this down a bit?

    Also I can’t seem to change expires date of the images to be longer than 10 days. Any idea why this is?

    Stephen

    • Hi Stephen. What is 4 times the size – not sure what you mean there?

      The expires date is on line 1033 of the most recent version of TimThumb

  15. Hi Ben. I mean timthumb.php the most recent version is 4 times the size/weight of the previous one. But if you strongly recommend updating I will. Thanks for the note on expires date.

    • Hi Stephen – the size of the php file shouldn’t matter since it doesn’t get downloaded. The size of the files it generates are what affect the download speed. Despite being larger, hopefully the current version of TimThumb will be at least as quick as the one you’re upgrading from.

  16. Pingback: Don’t Build WordPress Plugins Into Your Themes | Eagle Web Tech LLC :: Web Enabled Technical Solutions :: Martinsburg, WV
  17. Great script Ben!
    Just a request, any plan to add a watermark feature using a TTF?
    Thanks for reply

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

I seem to find myself working with Youtubes thumbnail images quite a lot (for instance on Miniclips videos section) – and I am always having to go searching for the parameters to use to generate those thumbnail images. So I […]