TimThumb 2.0

TimThumb is no longer supported or maintained.
More information →

Ok – so – TimThumb. I am sure many people have seen this already but some code exploits were recently discovered in TimThumb. Now that everything is under control once more I thought I would explain what happened and what is going to happen in the future.

The exploit that was found was a bug with the external image resize functionality and the fact it could be used to download and execute files. There was code in place that restricted the downloads to a whitelist of clean sites, but it wasn’t strict enough and so a hole was found that could inject php onto your server.

I found the bug myself on Friday the 29th, when my own site was exploited, so I promptly started work closing up the hole. On the following Monday the exploit was announced by Mark Maunder and I got more help with hardening up the security in the script. On Thursday Mark, the person who had announced the exploit, released a total rewrite of the script – and on Friday 5th of August we joined forces to release TimThumb v2.0 – a total rewrite.

TimThumb 2.0

TimThumb 2.0 is a total, ground up, rewrite – written with security in mind from the start. There have been a whole heap of improvements to security making this the strongest TimThumb release ever. In addition the code has been remade in an object oriented fashion, and there have been some new features added that will hopefully make the script even more popular than before.

If you hadn’t guessed already this update is a required one. If you haven’t updated already then download the TimThumb code from Google Code and update your sites now.

The Future

Mark has said he will continue coding TimThumb, and we are now in talks with the WordPress team about integrating similar things into the WordPress core. We’re not sure how the functionality will work, whether a plugin, core plugin, or just including TimThumb itself – however it looks likely that the code will be brand new, utilizing WordPress core features.

Let me know what you think on Mastodon, or BlueSky (or Twitter X if you must).

Related Posts

26 Jun 2014

New TimThumb Exploit Found

It’s been reported today that there is a new TimThumb exploit found. Unfortunately nobody told me about this before the exploit was announced – in fact I found out about the bug through wptavern.com so I haven’t been able to...
27 May 2013

WordPress: 10 Years Young, What Does The Future Hold?

WordPress is now 10 years old. I started using wordpress 9 years ago – which means I joined the WordPress community early on. The reason I chose WordPress is simply because of the fabled 5 minute install process – I...
06 Jul 2009

A Brief History of TimThumb

When we were building Mimbo Pro – Darren came up with the idea of automating the image thumbnail resizing – and this was the idea that sparked the development of TimThumb.This was all part of making the theme site as...
05 Aug 2010

Using TimThumb part 1: Getting Started

TimThumb has always been built with simplicity in mind. However there are a few things it can do that have not been exposed before.Inspired by a comment from RBhavesh I have decided to write a series of posts in which...
05 Mar 2024

TimThumb Image Resizer and Website Security

My friend Alex Denning recently asked me to write some bits about TimThumb for an article he was putting together.The main purpose of TimThumb was to dynamically resize images on websites, making it easier for web developers to manage their...
04 Nov 2010

TimThumb Troubleshooting Secrets

I often get asked questions about TimThumb and why it doesn’t work in certain situations. I can generally tell what is wrong with the script within about 60 seconds of being sent a demo url. Below are my top tips...