The TimThumb Saga

Last week there was a serious flaw found in the code behind TimThumb, an image re-sizing library commonly used in premium themes.* Because the code is commonly embedded in themes it’s not easy to discretely update like it would be if the code were a plugin, and even when a theme is updated people are hesitant to update because they often customize theme code rather than making child themes, so if they were to overwrite their theme with a new version they’d lose their modifications. That, combined with the severity of the flaw, means that this is one of the more serious issues in the WordPress ecosystem in a while, even more than normal because it wasn’t in core.

It could have gone a lot of ways, but the incident brought out the best in the community. The core team sprang into action searching through the theme directory to inoculate any themes that contained the dangerous code. Community blogs quickly got the word out about the problem so people were aware of it. Mark Maunder, who originally discovered and broke down the problem, created a fork of the code called WordThumb that rewrote TimThumb from the ground up. Forking is not usually ideal because it fragments the market for users but Mark soon connected with Ben Gillbanks, long-time WordPress community member, and they’ve teamed forces to release TimThumb 2.0, a collaboration that exemplifies Open Source at its finest. An updated plugin should be in the directory shortly.

It also illustrated the original vision I had behind VaultPress. In addition to reporting early and emailing customers with vulnerable code, the following morning they had devised a way to go in and surgically correct vulnerable code on over seven hundred affected websites. This fixing-problems-while-you-sleep delighted users and is exactly the kind of problem I hoped VaultPress would solve for people and it underscores the core value of the service. If you’re not using VaultPress for your most important websites yet, you should.

* I originally had a long rant here, but here’s the 13-word version: I’ve seen no correlation between how much something costs and its code quality. This is getting better as more people become familiar with the coding standards of core, and PHP in general, but there is still a long way to go. If you want to avoid this in your own code, check out Theme Check and Log Deprecated Notices to start. If you’re looking for code to base your own theme on, it’s best to start with something like 2010 or 2011.

44 thoughts on “The TimThumb Saga

  1. Hi Matt
    Thanks for the update. I’ve noticed the flaw, but sooner than I expected the Vaultpress team notified me about the problem – fixed now!

    Thanks for the great service and products (and code!)

    1. I second the multisite issue. I have an important multisite install that I would love to protect with VaultPress. I have my credit card handy. Now its just a waiting game.

  2. You should keep your rants in the post. I am neither a coder or techie, but I love creating sites. I have been a long-time WP user. For a while, I used to think the only way to get a quality theme was to pay a lot – I was very wrong! I have since learned a little coding, and with the forums, etc., now just use 2010 or 2011 and modify it – and the best part – no expensive theme clubs!

    1. That’s sort of why I pulled the rant: I didn’t want people to see it as a blanket condemnation of paid themes and plugins. The core issue is education — WordPress makes it easy for anybody to create a plugin or theme, and market success has more to do with visible elements, like design and marketing, than with the under-the-hood quality of the code.

      Because premium and paid products generally are bought more by users than skilled developers, they just have fewer eyes on them than something that was freely shared or in core. However as we create more resources and WordCamp sessions and videos and tutorials to help people up their skills and standards this problem will fade, so ultimately I’m optimistic.

      1. Is there someplace where you lay out the proper way for a consultant to make money on their efforts? If not paid themes or plugins?

        It seems that you are saying that group coding is better than paying an individual or business,
        giving them a reason to care about the quality of thier code?

        Or maybe that a wordpress project is wordpress core developers + the end user with no developer middle man?

        Is it really your position that third party developers with a smaller client base are a “problem” that will be resolved by the wordpress core giving end users all the solutions they need to do it themselves?

        I’m sure your opinion on this is recorded somewhere. I just haven’t run across it in a coherent form yet.

      2. The point I was trying to make is it’s totally fine to charge for themes or plugins under the GPL, and lots of contributors to WordPress do, but you shouldn’t assume that just because you pay for something that its code is higher quality.

      3. I think you and others are creating an environment in which people are trying their best. In the end, optimism and a supportive environment will give you more than we could get any other way.

        WordPress = win.

  3. I can understand that. I know I had a couple of themes using Tim Thumb and they want you to set one or two folders to 777 which is always a dangerous practice. In fact, with the PHP my host uses, the highest permission you can grant is 755. I never really understood why they used it, either. The normal WP media library re-sizes and NextGen Gallery works as well. Hopefully, V2 will fix all the issues with T. Thumb!

    1. I’ll tell you why, WordPress’ resizing functions are a pain.

      Don’t get me wrong, I would prefer that everybody used it since that would make my job easier.

      There are two things that need to change in WordPress core before I think timthumb will be used less.

      1. WordPress needs to offer an easy way to get the attachment id based on a url. Many existing themes had to role their own featured image(s) functionality and they used urls and not attachment ids to do this. This is the case with one site I’m doing some work on now and it ha forced me to use timthumb.

      2. WordPress needs to be willing to resize images at run time. If I pass a custom size I expect wordpress to give me an image with said dimension. Instead it will try and give me something close if it exists, I’m sorry but you cannot develop a site if images varying by hundreds of pixels. Instead if you want a specific size you have to add it to the list of image sizes and wordpress will resize new images for you when they are uploaded. No dynamic runtime resizing for you Mr. dev. So instead you have tons of resized images but none of them what you asked for.

      1. I’d like to see WP take up some more of NextGen’s functions, especially mass upload and of course. I do know from hearing at several WordCamps in the past couple weeks from a couple core developers that there is interest to optimize the media section of WP in the future.

      2. My main point was with all the site hacking due to php injection, neither Tim Thumb nor any other script should ask or expect you to set permissions to 777. Luckily the sites I have that do use Tim Thumb seem to run O.K. with permissions of 755.

      3. Image handling in WP isn’t overly fun for developers or end users.

        The WP Media Library needs to be greatly overhauled. It’s crazy that at the moment the only way to create galleries in pure WP is adding multiple images to a post/page. And then you can’t re-use them in other posts or pages.

        As for the developer… As Daniel says, there’s holes there too. For many devs, TimThumb is a godsend. Personally I don’t like it, but for those of us who don’t, we have to go looking for other PHP image processing solutions. Be interesting to know just how many custom solutions are out there because WP provides insufficient tools?

        We can bag TimThumbs all we like, but it proves unequivocally there is a need, and I believe a need that WP itself should be meeting.

  4. Matt wrote: “If you’re looking for code to base your own theme on, it’s best to start with something like 2010 or 2011.”

    That is egotistical, extremely presumptuous, entirely belittling to code developers everywhere. The people who develop TwentyTen and TwentyEleven are not – by an intergalactic longshot – the only people capable of writing quality secure code.

    1. If you have any other suggestions feel free to drop them in the thread. I’m just saying two that are widely available and that I personally endorse. They’re reviewed not only by the entire core team but by the larger community of WP developers active on Trac, which isn’t common.

    2. I wholeheartedly agree with Matt that both TwentyTen and TwentyEleven are great code bases to to start your themes on. This is why ‘naked’ themes are so popular. Speaking of which, I need to get around to stripping TwentyEleven when I get a chance!

      TwentyTen and TwentyEleven utilise many of the core and newly released features of WordPress. It’s always better to learn from these themes so you do things the WordPress way rather than another way e.g. TimThumb 🙂

      As Matt said you’re getting the best coders, security and UI people reviewing these themes so they are excellent themes to start with!

    3. Mark, I didn’t read it that way. After using Thesis, Genesis, Connections, Journalist, & Thematic (& others?), having a couple of “canonical” – modern – themes which are officially “blessed” by both core and community is a relief.

  5. When I saw the notes on TimThumb’s flaw, I had made a patch for my own clients who chose specific frameworks that use it. I do not use it myself, but I am really glad of the quick response and teamwork on fixing the issue. Thanks for the update, Matt!

  6. So you are making major announcements about it to let all the creeps know it is there and open to hack or whatever the problem is, before there is a fix for it?

    1. Fixes for TimThumb were released before the problem was announced, and long before this post. There were further security improvements after, and it has since been rewritten entirely.

  7. Just include TimThumb into WordPress. Like all the javascript stuff. Updates can be done by WordPress updates. A lot of templates use it. The WordPress resize function is really a pain.

  8. “If you’re looking for code to base your own theme on, it’s best to start with something like 2010 or 2011.”

    I totally agree. I made a child theme of 2011 for my blog recently and I did customize it easily and quickly. I’m not a designer. I just wanted a unique theme for my blog. 2011 was the best option to base my theme on. And I’m glad I chose it. I learned a lot of new things about CSS, too!

    Check my blog and tell me what you think of the customization.


  9. It seems to me that…

    1) WordPress is a tool that is provided to the public without charge, 2) It is a product that saves me incredible time in building a blog or website; eliminating the need for scratch coding while still allowing the use of child themes for customization, 3) response to this issue was immediate and effective, and as pointed out, especially valuable as the community was/is so involved: isn’t that the point of “free software”?

    I suppose that anyone that has taken issue with this should probably take the time to write their own code and not rely so heavily on the amazing work of others only to berate them when dissatisfied.
    Good work WordPress.

  10. IGIT Related Posts thumb I guess is the first victim of this vulnerability. It used timthumb and it’s latest update injected code into wordpress files…. It took me a while to remove the code. But I guess there should be even higher security of the worpdress plugins in its directory.

  11. As some people here already mentioned: There would be no need for something like timthumb, if WP would’t lack its features.
    And please redo the WP media library if you wan’t to be taken as a real CMS:
    – assign unique IDs to all files (in the DB, no hotlinking)
    – let people create folders to sort their files themselves (with user roles)
    – search & sort (for) file types

    Anyway: thanx for WP! It is on a good way :).

  12. After my ISP told me, that my site’s performance sucks because of the timthumb script I found image_extractor plugin as a perfect solution. Once installed it resizes pictures perfectly server-side and stores the destination size in a cache folder. Problem solved.
    Several options for output…

    Kind regards from Austria,

  13. Matt, the good news is that WordPress is now so huge that a security hack, no matter how unrelated it is to WordPress is associated with the platform as a whole! I think that deserves a congratulations of some sort right?

  14. This is an old post, however, just in case someone in the far reaches of the cyber Universe, is reading this, today I found a theme, (that has 102 references to the old version, yes the one that started all this discussion) Also last year, on a server operated out of Oklahoma city, had a version of this file that was installed on a shared web server, the result, was that 300 websites were hacked.

    I just cannot understand why we would even still be using the same name allowing some mal users to place code in a theme then wait for someone to download it and install it so they can hack a blog.

    Can we not just ban the use of timthumb.php?