The Aftermath Of The TimThumb Vulnerability

SucuriLogoSucuri Security has a great post that begins to review the aftermath of the massive exploitation of the TimThumb image re sizer script. According to their calculations, about a million pages have been compromised by the script but when filtering down their results for the past thirty days, there were over 200,000 results. The exploitation of the script is still an ongoing problem and will most likely continue to be for the foreseeable future. If you think an old version of the TimThumb script is on your server, use the TimThumb vulnerability scanner plugin.

The TimThumb exploitation event is interesting in that so many websites became compromised despite the issue not being relevant to the core of WordPress itself. I wonder if there are any other popular scripts or dependencies that plugins or themes use that could end up in the same situation?

5 Comments


  1. I only got into WordPress this fall and was absolutely lucky when I signed up for Elegant Themes just a few days after this vulnerability had been corrected!

    Instead of shaking me, however, this incident has only made me feel all the better about having chosen WordPress for my sites. Thus, I’m not too concerned about any other security holes in the many plugins and themes available. May the WordPress community continue to mature in security, usability, and functionality!

    Report


  2. Yes, I noticed that the BlueHost hosting service was automatically correcting and fixing all accounts that used the TimThumb script.

    Report


  3. I actually started using TimThumb after the exploit hit – using the upgraded version.

    The reason was because I store my images used in posts on Photobucket and none of the core of WordPress will handle an external image unless it is uploaded to the media library. I don’t want that now.

    Report


  4. Hmm, given how massively popular TimThumb is I think one can safely assume that if it can happen to a plugin as widely used as that one it can happen to others as well.

    Report


  5. The thing that wordpress COULD do, is give some kind of advance notice about what is in the plugin you are installing. Far too many themes contain obfuscated code with horrid little advertising links, and people install these, blissfully unaware of their payload. Similarly, if the theme is installing extra php code, like timthumb.php, then it is surely worthwhile to tell the world.

    Report

Comments are closed.