New TimThumb Exploit Found

TimThumb is no longer supported or maintained.
More information →

It’s been reported today that there is a new TimThumb exploit found. Unfortunately nobody told me about this before the exploit was announced – in fact I found out about the bug through wptavern.com so I haven’t been able to look into a fix for it. I’ve now contacted Mark who wrote the webshots code (which is where the exploit was found) and asked him to sort out a fix so hopefully Google Code will be updated soon.

Update: Mark has fixed the issue and so TimThumb should be secure once more, just update from Google Code.

Don’t Panic

First things first – most people using TimThumb don’t need to worry. The code is disabled by default, and even if it’s enabled you need to have two server side extensions installed to be able to execute it. However – to be sure you’re safe – you should make sure you have the following line set.

define (‘WEBSHOT_ENABLED’, false);

This will disable the dodgy code and make sure you are safe.

Don’t use TimThumb

I haven’t written about TimThumb in a while. This is because I no longer maintain it (apart from times like now when these security things appear). Plus – there’s just better ways now.

WordPress has had support for post thumbnails for ages now – and I use these all the time in my themes. I haven’t used TimThumb in a WordPress theme since before the previous TimThumb security exploit in 2011.

If you want even more options then you can now use the Photon extension – which is part of the Jetpack plugin. It’s a cdn/ image resizer, as used by wordpress.com – and it’s awesome. It integrates seamlessly with the WordPress post thumbnail code, and it takes the image sizing load off of your servers.

I’ll be writing about Photon and how and why you should use it sometime in the next couple of weeks.

For now – just make sure you have the latest version of TimThumb – and that the code above is set.

Let me know what you think on Mastodon, or BlueSky (or Twitter X if you must).

WordPress News

The latest WordPress updates from the WPBriefs Podcast.

Related Posts

01 Jul 2014

I No Longer Use TimThumb – Here’s What I do Instead

Last week there was a second exploit found in TimThumb. Thankfully it was no-where near as bad as the first one – but it raised an interesting question of whether TimThumb is even needed anymore.TimThumb was made to be useful...
12 Aug 2011

TimThumb 2.0

Ok – so – TimThumb. I am sure many people have seen this already but some code exploits were recently discovered in TimThumb. Now that everything is under control once more I thought I would explain what happened and what...
04 Nov 2010

TimThumb Troubleshooting Secrets

I often get asked questions about TimThumb and why it doesn’t work in certain situations. I can generally tell what is wrong with the script within about 60 seconds of being sent a demo url. Below are my top tips...
05 Mar 2024

TimThumb Image Resizer and Website Security

My friend Alex Denning recently asked me to write some bits about TimThumb for an article he was putting together.The main purpose of TimThumb was to dynamically resize images on websites, making it easier for web developers to manage their...
06 Jul 2009

A Brief History of TimThumb

When we were building Mimbo Pro – Darren came up with the idea of automating the image thumbnail resizing – and this was the idea that sparked the development of TimThumb.This was all part of making the theme site as...
11 Oct 2009

How to Make TimThumb Work With WordPress Multisite

TimThumb is a popular image resizing script that was created for Mimbo Pro – but it’s never worked properly with WordPress MU, so I wanted to change that.The reason it doesn’t work is quite simple. Because of the way WordPress...