Ok – so – TimThumb. I am sure many people have seen this already but some code exploits were recently discovered in TimThumb. Now that everything is under control once more I thought I would explain what happened and what is going to happen in the future.
The exploit that was found was a bug with the external image resize functionality and the fact it could be used to download and execute files. There was code in place that restricted the downloads to a whitelist of clean sites, but it wasn’t strict enough and so a hole was found that could inject php onto your server.
I found the bug myself on Friday the 29th, when my own site was exploited, so I promptly started work closing up the hole. On the following Monday the exploit was announced by Mark Maunder and I got more help with hardening up the security in the script. On Thursday Mark, the person who had announced the exploit, released a total rewrite of the script – and on Friday 5th of August we joined forces to release TimThumb v2.0 – a total rewrite.
TimThumb 2.0 is a total, ground up, rewrite – written with security in mind from the start. There have been a whole heap of improvements to security making this the strongest TimThumb release ever. In addition the code has been remade in an object oriented fashion, and there have been some new features added that will hopefully make the script even more popular than before.
If you hadn’t guessed already this update is a required one. If you haven’t updated already then download the TimThumb code from Google Code and update your sites now.
Mark has said he will continue coding TimThumb, and we are now in talks with the WordPress team about integrating similar things into the WordPress core. We’re not sure how the functionality will work, whether a plugin, core plugin, or just including TimThumb itself – however it looks likely that the code will be brand new, utilizing WordPress core features.