TimThumb Vulnerability

Recently I heard that there was a potential vulnerability in a small PHP script called TimThumb. It’s a script which is used by quite a few WordPress plugins and also by developers. It handles auto-generation of different thumbnail images.

It’s a fairly handy script, but ever since the implementation of WordPress custom image sizes I haven’t really had need for this sort of thing. Still, I knew it was advisable to check our server and see what sites might have the TimThumb in use.

First up I just handled it through scanning from the command line on our server.

find /path/to/server/www/folder/ -name timthumb.php

This gave me a list of any instances of this script on our server. In most cases the scripts were actually not in use at all, and could just be deleted. However a couple of client websites had the script in place through a plugin (such as Awesome Flickr Gallery, or Event Manager).

Fortunately there’s an easy fix! Just install the TimThumb Vulnerability Scanner on your WordPress site and follow the steps. This plugin will update any instances of the TimThumb script in your /wp-content/ folder to a secure version.

More information about the plugin available at the CodeGarage blog.