This morning we were made aware of a security flaw within the Timthumb image resizing script, which is utilized in our themes for dynamic image resizing. It is also widely used in other WordPress themes and plugins.
As a result of this security flaw, the author of TimThumb and the author of WordThumb have worked together to release TimThumb v2 which fixes these security issues.
We’d highly recommend that you update your WooFramework like described below.
How to update your theme
You need to update to the latest version of the WooFramework (v4.4.2), as we have now moved thumb.php into the framework so it is easier to keep updated. There is also a new function in the framework which will remove your old TimThumb from the theme.
To update your Framework, simply go to your theme menu and select “Update Framework” (see our tutorial on the topic).
Need further help?
We have created a dedicated forum for TimThumb issues in our support forum. Please make a new post in this forum and we’ll be along to assist you. View the new forum.
About
I suppose the more pressing question is why WooThemes use some custom php library instead of WordPress’ own ones?
We have the option to use both native WP Post Thumbnails with dynamic image resizing and the thumb.php for dynamic resizing.
WP Post Thumbnails will stress the server resources less, but the thumb.php offers some advantages in remote resizing, automatic inline image resizing, crop zoom adjustment etc.
So most of our themes have the best of both worlds, and you can choose which one to use. 🙂
I have the same question. Not that the WP core is immune to these sorts of bugs but the less chunks of un-audited code we can have laying around the better.
Ken
See comment above. Feel free to disable thumb.php in your Dynamic Images 🙂
The tim thumb script you link to still has a the security flaw, and replacing your thumb.php script with to timthumb.php without renaming will break functionality if you rely on dyna,oc resizing.
This post has serious errors and is advising a course of action that will leave users sites vulnerable. You should take down the post until you can get it right.
Agreed
Hi
According to the latest fixes the security fixes have been applied in 1.34
http://code.google.com/p/timthumb/source/list
The post says to grab the code from the link and replace your thumb.php in the themes folder: “…and replace your thumb.php file in your theme folder.”
Not very smooth.
Did you have trouble updating your file? What wasn’t smooth? 😉
After replacing this in a ton of themes with the version provided by Woo above, I’ve noticed the comments above about the version Woo is linking to being insecure. What say you, Woo?
We’ll check with Ben Gillbanks again who is the author to confirm that version 1.34 is secure. I’ll also update the post on how to make it not use the remote sites.
Is the linked to version safe or not? I don’t want to make any changes until I know it’s secure!
It should be safe, but to make sure yours is 100% safe see the updated blog post above.
We need your answer ASAP, is very important to know if the timthumb.php linked is safe or not. I’ve spent half day updating the linked script 🙁 .
The script has been updated yesterday and today with submitted security fixes, but we’ll double check with the author. Also see the post where I’ve added info on how to disable remote hosts completely.
I think you need to update too woo tumblog plugin, in /functions directory .
Thanks we’ll update the plugin as well 🙂
Thanks for letting us know – will be updating today!
V2.0.6 is now available in the WordPress plugin repository with updated TimThumb 🙂
This seems a bit over reactionary. I believe I will just wait until a regular Canvas theme update is published.
All themes have been updated with latest thumb.php, but we aren’t updating the version number of our themes. Follow the instructions in the blog post above to update your thumb.php.
Why not bump the version number?
It would be nice to see the fix for the security exploit listed in the revision history. That way I’d know that was the version I wanted without having to come read the comments of this blog post.
Also, “We’d highly recommend that you grab the latest version of the theme *and* update your thumb.php” is a little confusing. I added emphasis on “and” in your post. If the theme has been updated then why the need to replace thumb.php.
I’m not trying to be pedantic. When dealing with security problems please be as clear and simple as possible.
Something like:
1. We have updated the latest version of every theme with a fixed version…
2. If you can not update your them to the latest version then…
Hi
Since this is a mass update to all themes we have elected to not update each changelog.txt and style.css to save time. The thumb.php has been updated several times since this blog post went live, so to continually push out latest updates we have to drop version updates in the themes.
By grab the latest version, we mean download it from our website and then update thumb.php on your site(s). There is no need to update the whole theme as that is a bigger process.
Hope that makes it a bit clearer 🙂
I am not offered the option to update the framewrok as your tutorial states. I am a little tired of going around in circles here.
What does on do if the option of updating framework is not an option ? reinstall and lose custumizations ? surely not?
You guys have been great — until this happened and you ahve dropped the ball and created a real headache and time sucker for people who backed you…
real bummer
please get this sorted to date i do not see anything i can do but start from scratch
WooThemes is going to tell you to submit a ticket in their Support Forum.
But I would bet that you haven’t updated your Coffeebreak theme in awhile. The “automatic update” of the framework is a fairly new feature.
Try updating your theme manually — rename your current theme folder to something else… don’t delete it from your FTP just yet.
Then test your site to see if it works with the vanilla version of Coffeebreak.
For your customizations, you DID put them into a child theme, right?? 🙂
what does one day with this error ???
Fatal error: Cannot redeclare woothemes_more_themes_page() (previously declared in /home1/garagewi/public_html/vilkun-berries/wp-content/themes/coffeebreak/functions/admin-functions.php:2303) in /home1/garagewi/public_html/vilkun-berries/wp-content/themes/coffeebreak/functions/admin-theme-page.php on line 66
I am at wits end …
You may want to also check your server to make sure that your sites were not already compromised due to this security hole.
I would strongly suggest that everyone ‘grep -r base64_decode’ your server files and make sure there are no long strings (good sign you’ve been hacked).
There are also a ton of other steps that everyone should be taking, but that would take much more detail than I can provide in a comment, nor am I an expert, just a prior victim.
The real problem that is not even being talked about so far, is just how bad this really is. Considering that virtually anything can be injected, it is not out of the realm to understanding that a compromised site ‘really’ can compromise the entire server on many shared hosts.
To me, the worst part of timthumb has always been the server load it generates. Its just a really inefficient script.
How do you do that ? Do you have anything to help me to know this ?
On my website there is a major issue for about 3 weeks and I really dont know how to solve it 🙁 . Firstly my 4 oldest posts were republished but their content was replaced with some kind of ad… Weird. And now all my oldest posts are getting republished one after the other : this time their content is not altered but this is really annoying anyway !
That’s the reason why I need to know if my website was compromised… Thanks for your help !
Yup, that is a huge sign that you have been compromised. There is no way to tell from your post if it came as a result of timthumb or not, that will take a ton of investigation.
I would suggest reading through the wordpress forums for answers on how to recover. There are so many steps involved, that I can’t possibly detail them all in a comment. There are also a number of great articles on this which you can find via google.
Check out sucuri.net. They can clean your site and they have software that works within WordPress to keep you from being infected with malware in the future.
Yes I’m just about to do this, thanks 🙂
I also found Exploit Scanner :
http://wordpress.org/extend/plugins/exploit-scanner/
Going to give it a try too.
It takes too much time to load.
Why am I not able to get any thumbnails or images in the featured posts in the slideshow?
I switched to premium news, from comfy theme..
can you plz help me out?
Hi
We can only provide support to our members in our support forum.
I received an e-mail from Mark Maunder, he forked timthumb and rewrote the script. Here is his post about the secure rewrite: http://markmaunder.com/2011/a-secure-rewrite-of-timthumb-php-as-wordthumb/
http://code.google.com/p/wordthumb/
Looks very promising, but as this is a rewrite of the original timthumb, there are bound to be errors. I tested it by replacing my thumb.php code and already had some images not work, so this isn’t something we can implement into our themes now, but everybody should feel free to test it themselves by copying the source code into their thumb.php file.
Hi there. Has the timthumb script you’ve pointed to online been further updated? I ask because I can’t see any line in the code which says:
define (‘ALLOW_EXTERNAL’, FALSE);
Thanks
Richard
I should clarify by saying I can’t see any line which says:
define (‘ALLOW_EXTERNAL’,…
Seems this variable has been removed in 1.35 so you only need to remove the $allowed sites array.
Great, that’s what I’ve done to about 8 sites. Thanks Magnus.
I don’t use Woo themes, I had nothing against them in the past I just never have (I mostly build custom child themes, and am a Thesis refugee and now big Genesis fan), however reading this thread I’m much less inclined to _ever_ use a Woo theme in the future.
Seriously? you can’t seem to be bothered to do your OWN security audit of something that you’re bundling with your themes and then stand behind it? Is the version of timthumb you’re linking to secure or not? It’s really shouldn’t be difficult question…
…and not indexing version numbers is a double #fail in my book.
We have done both our own and hired external sources to do security audits, and we did not pick up these issues with thumb unfortunately.
All our new themes have the option to use WP post thumbnails instead, so you don’t need to use this 3rd party script. It dynamically resizes these with WP’s own functions, so you can modify your image sizes on an existing site and it will update them straight away.
Sorry to hear that you are “much less inclined to _ever_ usea a WooTheme. You would be missing out, in my opinioni. I’ve been a WooThemes user for a while. Their themes are among the most beautifully designed and best coded around. I’ve looked at quite a few, including StudioPress and Thesis. I admire Brian Gardner and what he’s built at StudioPress. He is a class act and one of the biggest reasons that I’m using WordPress at all. If you’ve never used WooThemes, why are you over here posting anything at all? What have you added to this conversation? And why the need to take the tone you’ve taken in your comment? It really wasn’t necessary, especially if you’re never, and still never, plan on using WooThemes. Kind of troll-like behavior in my opinion.
Kevin – Just because I’ve never built a site using a Woo theme doesn’t mean I don’t support or manage sites that do. I could of been more clear about that but didn’t think it really matter why I was here. Regardless, the reason I came was to see what I needed to do to update those sites I manage that do use Woo, which is honestly just a few and none of which I built.
As I said, I have had a lot of respect for Woo themes over the years, but again, that doesn’t change that this response disinclines me from ever using a Woo theme in the future. Sorry the tone was so harsh, reflecting on it, it was in part that I hold Woo to a higher standard and was disappointed.
What I would expect of Woo and of any major theme developer is to come out and clearly say “We’re aware of this security threat and we’re working on it, as an interm solution you can manually go in and replace your thumb.php file with the latest updated version, when we’re sure that this security flaw is completely fixed we’ll release a +x.x.1 update to all the affected themes so you can update and know you have latest version.”
Thanks for the clarification. I don’t disagree with the sentiment, but it definitely seemed to be a pretty harsh tone from someone that started out the comment by saying they didn’t use WooThemes. I think my take was more that I’ve grown to trust the WooTeam, and I felt that as the events unfolded, they would provide the best info as they had access to it. At the end of the day, I have daily and weekly backups that can be used to restore a site within an hour, tops, if need be. Worst case, something bad happens, I restore to a previously known good state. Not ideal, but sometimes things happen. Success to you as you continue to use WordPress and support clients that do.
I’m not a programmer or server expert. I simply want to ensure my sites are not affected by this vulnerability but am confused by all the advice here. So what is the best course of action to take right now?
Have all Woothemes been updated since this occurred and thus we should update right now (i.e. I only installed some themes last week, have they ALL been updated and need replacing?)?
Or will that not make a difference if the recommended and latest course of action is to “disable the allowed remote sites completely” as per latest post update here?
Even if we choose to use WP post thumbnails instead, wouldn’t thumb.php still reside on the server and thus pose a risk? (Dumb question maybe, like I said I’m not a programmer)…
Hi
I’ve updated the blog post to make it easier for you to see and download the secure version of thumb.php 🙂
All themes are using the production version of thumb.php which do have 3 sites in the $allowedsites array.
Only the thumb.php needs replacing inside the theme folder, which you can do via Apperance > Editor like shown in the blog post.
If you want to use WP Thumbnails instead, disable thumb.php in Dynamic Images and remove it from your theme folder.
Hope that clarifies the issue even more 🙂
I can’t help but think there Is a lack of support/certainty about what the best action to take is. I went to upgrade my thumb file and it still has the ALLOW_EXTERNAL function yet above a comment states that the new version removed this?! So what did I update? In my opinion, an update to this post needs to be published, providing the definitive steps to be taken!
Hi
Timthumb is contintuously updated by the author when users supply fixes to it. The latest version is 1.35 and I’ve updated the blog post with a modified version of this which is secure.
Would setting allowed sites to false (which it was anyway) and removing the site list from the array do the job too? That’s what I did earlier before this post was updated.
Hi
Yes that is what we have updated the post with 🙂
Update to blog post:
Following the security issues in Timthumb, WordThumb has been released. We’ve tested this with our themes and it works quite well and is backwards compatible with Timthumb so you can simply replace the code in our themes thumb.php file.
Feel free to grab WordThumb and copy it into your thumb.php and see how it works for you. If you find any bugs you can report them directly to the author. We’ll do some more testing and hope you can report back if it works for you or not, then maybe we can update our themes to use it instead, as it promises to be faster and easier to setup (no cache folder to CHMOD when you install the theme).
Was this warning sent out as an email to all Woo users? I heard about it through a different theme vendor and then checked the Woo blog, but considering the possible severity of the problem, it would have been good to have received an email warning right away.
Thanks!
Scott
Hi Scott,
No we didn’t send out a warning yet as we were waiting on a complete fix, which now has come in the form of TimThumb v2.0 🙂
We’ll most likely send out an update on Monday.
Good news!
Ben Gillbanks and Mark Maunder has worked together to fuse TimThumb with WordThumb to release TimThumb version 2.0 which fixes the security issues and improves the script.
All our themes have been updated and you can see the blog post on how to update 🙂
Thanks for addressing this and updating us with all the new developments!
With TimThumb 2.0, is it still advised to further patch by deleting the allowed sites, or is it safe to leave them in?
V2 is secure so you dont need to edit it 🙂
I have a few questions about version 2:
Should ALLOW_EXTERNAL be set to true (default) or changed to false?
Also, should the 4 ‘ALLOWED_SITES’ be removed or left in there?
Thanks
Nothing needs to be changed in V2 🙂
I was about to check out one of the woo themes as I’ve got awful problems with the theme I’m using right now with another premium theme company. And the problem with the above!! So if I choose a woo theme now have they been updated so no problems? I’m a newbie to blogging and don’t want to end up with technical problems!
Yes all themes have been updated with TimThumb v2 🙂
Fantastic!!! I’m now going to try out my trial 14 days, that’s a really brilliant idea, especially for newbies like me!!
I, for one, think the response in the WordPress community in general, and here at Woo in particular, was spot on. THIS is why you pay for a premium theme. Not so you won’t ever have issues. Rather, so when you DO, there’s someone to help sort it out.
Question: What is your recommended strategy for testing your site for previous intrusion? VaultPress is not in my budget. I suppose I can reinstall WP to overwrite any core files easily enough, but is there a way to determine if there has been an intrusion and your site is a ticking time bomb?
Hi and thanks for comment James 🙂
I believe Mark Maunder has some good info in his blog post on ways to check your server.
You might give sucuri.net a look as well as websitedefender.com. The latter is still in “Beta” but you can try it out for free. Both have at least a single free scan of your site to help check for malware. Perhaps one of the best tools, that I haven’t seen anyone specifically mention is Google’s Webmaster Tools. If you don’t have an account and haven’t set up your website in GWT, you should do that ASAP. Google will actually let you know if the bot detects malware. I’ve had a client for which Google’s notice re: malware was quite helpful.
I’m actually pretty impressed with how quickly and senselessly this issue was fixed. I’ve dealt with a lot of other places that would have taken a month or more to deal with something like this, which is totally ridiculous in my opinion. Keep up the good work guys.
*seamlessly not senselessly. Auto-correct sucks sometimes…
I noticed the latest Framework pulls TimThumb into the functions folder. Based on the source code, I assume the ‘optional’ config file needs to reside in the theme’s root directory. Right?
Hi, yes we just updated this today. Optional config file goes in theme folder.
Hi,
I’ve updated my thumb.php file according to your advice above, however, it seems my site has already been infected as it keeps redirecting me to
http://generation-internet.ru/pcollection/index.php
Is there a way to fix that?
Many thanks.
Mark Maunders blog posts should have some good info on how to check your server, and there is also some info here: http://blog.sucuri.net/2011/08/update-to-the-superpuperdomain2-com-malware.html
elmalak
Look in your .htaccess file, it is hidden down and way to the right… you will see a bunch of redirects
They will also leave a backdoor file in your (Woo) themes folder called wp.php. Delete that file.
They’re coming in with user agent ‘firefox/3.5.5 gtb5’ and make a POST request to ../wp-content/themes/woo-theme/wp.php HTTP/1.1
Magnus,
can you please do some lobbying for an improvement in WP media (library) features? You have definitely more influence than us average users.
Thanx!
If you see the State of the Word video, Matt M gave some good indications of a re-work of the media library 🙂
I just received an email from Woo about this two minutes ago…. now I noticed it was posted on the 3rd august? Luckily everything is up to date now!
Yes, the 3rd…and today is the 18th!! Too little to late for many of us…
We’re very sorry that we didn’t e-mail this out earlier. There are a few factors that influenced us to make the decision not to send it out until now.
If you get time, read the book, Blunder, by Zachary Shore. It discusses why smart people make bad decisions.
Not emailing everyone was a bad decision. Don’t do it again. 🙂
To be honest we didn’t think it was a major security issue, but when we learned that sites were indeed getting infiltrated we knew it was needed. We also had to patch the framework and add the update TimThumb functionality which took some extra days to test to make sure it works.
But yes, we should have emailed everybody earlier, agreed, but I do think we were one of the first to do so…
I am a php developer (for 11 years now). I want to thank Mangus for dealing with this issue in a professional manner. ALL scripts encounter security challenges in their lifetime… WordPress has certainly had it’s share. The most important thing to remember is that the vulnerability has been addressed. It is also important to remember that it is the hacker who has chosen to profit through illegal and specious means rather than honest ones.
Thanks for the kind feedback! 🙂
Is this security issue affects the old TeemThumb plugin for EE you use to dev in the past and for why i used to be a client of woothemes ?
We’re not sure. Drop us a mail on support@woocommerce.com & we’ll put you in touch with our EE developer.
We recently received this from our host, 1and1 Abuse Department.
You received an alert concerning the security of your 1&1 account earlier. Our team of experts has now analyzed the incident. They ascertain that your 1&1 hosting account has been attacked via an insecure script you installed on your webspace.
You will find an analysis of the attack and instructions on how to secure your webspace against future attacks in this e-mail.
******************************************************************************
1. Analysis of the attack
******************************************************************************
1.1 The hackers processed the attack through a security leak in your software
– TimThumb
The website they are referring to has been compromised and the administration panel and website are now taken over.
What is your method of recovering the hours of work to create the website in this sate?
Proceed a daily backup ! That’s the only solution… See whith your host provider 1&1 what options they’re giving to there client about daily backups…
OH
I updated Timthumb, but I still see in the menu “Update Timthumb.” How can I delete this menu item? Thanks
I keep getting this message also. “Old version of TimThumb detected in your theme folder. Click here to update.”
I have updated to 4.4.1
Does that mean I’m fixed ? (I have 2 sites with WooThemes)
You need to click the link and update your old thumb.php.
If I have done some customization work to the CSS will this Framework update change any of that?
Nope, you can update the WooFramework without fearing any loss of modifications.
Thanks for your update about this security issue, I have massively modified many files of my templates plus the style.css and therefor I’m not really in a position to click on the update button, would it be possible to just provide us with the new php file to replace in order to ease up the process?
Be sure to make a backup of your theme before you upgrade. And the WooFramework will only update your functions.php file and the /functions/ folder, thus preserving all of your modifications.
Hey Woos,
Thanks for the warning and for making the process to take care of the problem so easy.
As a non-techie type, I was dreading the “process” so I was delighted that it took about four clicks and a minute to patch things up.
Thanks!
Alan
Glad that it worked out so well for you! 🙂
At Update Framework, I see that even though my version is different that the current version, a message says No Upgrade Needed. Does this mean that the timthumb security issues are up to date?
Welcome to the WooThemes Framework Updater. This updater will collect a file from the WooThemes.com server, download and extract the files to your current theme’s functions folder.
→ Your version: 2.9.27
→ Current Version: 4.4.1
No upgrade needed. You are already running the latest available version.
Frameworks older than 3.5 need a manual update, just upload an updated version of the theme or the functions folder.
Be sure to back up your theme before doing anything to it.