code, WordPress

TimThumb Vulnerability June 2014

tl;dr: UBC Blogs, UBC CMS and the new CTLT Events websites are not and were not vulnerable. Your blog or cms site is and was safe.

A serious vulnerability was disclosed earlier this week in a popular third-party image manipulation script called TimThumb. The vulnerability allowed an unauthorized visitor to create, remove and modify many files on the server on which it was used.

Specifically, the 0-day issue is with a part of TimThumb called ‘webshot’ which, when enabled, creates a screenshot of a specified URL. Webshot is disabled by default in TimThumb meaning most websites that use it are safe from this particular attack.

Simply disabling webshot, by setting WEBSHOT_ENABLED to be false is enough to prevent this attack.

What about my UBC Blog or UBC CMS Site?

Your blog or site is – and was – completely safe. The vast majority of sites on Blogs or CMS do not use a theme which includes TimThumb. Of those themes that do use it, all have the webshot functionality disabled (the default).

Across our platforms we have 3 themes which use TimThumb. 2 of these are deprecated (CLF-Base and Thesis) and will be phased out this summer. The other 1 (Koi) isn’t widely used. As mentioned, all 3 were using a non-vulnerable version of this script.

How can I test for the vulnerability?

The easiest way – on a linux-based server – is to use a combination of the find and grep commands. You can search for the string ‘WEBSHOT_ENABLED’ in a simple one-liner:

find /var/www/location/of/wordpress/wp-content -type f -print0 | xargs -0 grep -l "WEBSHOT_ENABLED"

This will give you back the location of any files (recursively, within the wp-content directory – including plugins and themes) which contain the string ‘WEBSHOT_ENABLED’. If you receive results, you should open those files and ensure that it is set to false, i.e.

define( 'WEBSHOT_ENABLED', false );

A small rant from a WordPress developer

TimThumb, directly, has nothing to do with WordPress. It is a separate, stand-alone, can-be-used-anywhere PHP script written several years ago by someone for their own use on their own (WordPress) site. That person chose, in the spirit of open-source, to release what-was-to-be-named TimThumb so others could benefit from and improve upon his code. It solved a problem that many developers were having and gained a large audience very quickly. WordPress was already the most popular open-source CMS (as it remains to be) and as such had a huge following within the WordPress community.

The original developer – for whatever reason – could no longer support TimThumb and it was picked up and forked by several others.

Whilst the team behind the WordPress project have provided assistance in fixing vulnerabilities in the past and helped spread warnings to folks who were using outdated, vulnerable code, they really have nothing to do with it. As such, WordPress itself, has nothing to do with it. (As it happens, TimThumb is now practically obsolete within a WordPress environment as WP provides its own internal, native ways of doing what TimThumb can do).

Poorly researched articles by journalists who should know better have proclaimed that ‘yet again WordPress is vulnerable’. Not only is this nonsensical (WordPress, as a code base, hasn’t been hacked for an awfully long time now) and wholly inaccurate (as explained above), it’s nothing more than link bait which belittles and patronises the reader.

Comments like this;

So, there I was yesterday thinking about this one website I’ve been planning for months now on building and again toying with the idea of using WordPress but going back and forth in my mind about it because every so often I see yet another article about WordPress and some kind of security vulnerability and here today is a brand new one! So much for WordPress!

are made by people who have read such poorly researched and written articles. It is not the commenter’s fault that they have this impression, it’s the alarmist headline-writers who are to blame.

If you fit Pirelli tyres on your BMW and Pirelli discover there’s a flaw in their tyre, do you think headlines would be “BMW Cars now deadly to drivers”? Same idea.

Further information on TimThumb and the vulnerability


2 thoughts on “TimThumb Vulnerability June 2014

  1. Thanks for the clear and timely explanation (and I completely agree about the rant). It’s great to have WP developers at UBC sharing their expertise openly like this.

    • Richard says:

      Thanks Will. It’s great to work for an organization where open source is a core part of its offering. Being open and honest about issues we face is, in my opinion, part of the open source mentality.

Leave a Reply

Your email address will not be published. Required fields are marked *