Lifestyle Classic Theme Security Hole

[as20]

Hi,

I just got an email from my web host saying that there's a security hole with the WP thumbnailing library. Could you please give me more info on this or if this theme will be upgrated to get rid of that security hole? What do you suggest? (See below). Any help would be appreciated.

Thanks in advance.


--------------


The security hole exists in a Thumbnailing library, called TimThumb. This library is commonly used in Wordpress themes, and is used to create thumbnails and link images from other photo sharing websites.

This security exploit exists in a library that is used in Wordpress themes. It is not part of the core Wordpress. Even if you have your core Wordpress script up-to-date, you may still be vulnerable. It is also important to note that this is not a security issue only with Wordpress. Other scripts may make use of the TimThumb library, but Wordpress is by far the most common use.

A lot more information about this is available at our blog at:

http://blog.amssupport.info/?p=448

[adew]

Hi,

You should get yourself a copy of TimThumb version 2.0 which fixes this security issue. Simply grab the file from here and replace your existing copy of timthumb.php. (The orig file is probably in your theme's "tools" folder.)

Actually, I've just realised that the version of timthumb shipped with the classic themes had the external site capability removed (which is where the vulnerability lay in unmodified versions.) I would still advise upgrading the script as I believe the new version is quicker, leaner and meaner. :-)

[as20]

Thanks a lot Abe, that was helpful! But I did have another question. So looking at the higher version of timthumb, it looks a lot different from the old file. Do I have to edit anything or do I just replace exactly how it is? Here's what my old version looks like:

---

PHP Code:

<?php
/*
    TimThumb script created by Tim McDaniels and Darren Hoyt with tweaks by Ben Gillbanks
    http://code.google.com/p/timthumb/

    MIT License: http://www.opensource.org/licenses/mit-license.php

    Paramters
    ---------
    w: width
    h: height
    zc: zoom crop (0 or 1)
    q: quality (default is 75 and max is 100)
    
    HTML example: <img src="/scripts/timthumb.php?src=/images/whatever.jpg&w=150&h=200&zc=1" alt="" />
*/

/*
$sizeLimits = array(
    "100x100",
    "150x150",
);
*/

define ('CACHE_SIZE', 250);        // number of files to store before clearing cache
define ('CACHE_CLEAR', 5);        // maximum number of files to delete on each cache clear
define ('VERSION', '1.09');        // version number (to force a cache refresh

$imageFilters = array(
    "1" => array(IMG_FILTER_NEGATE, 0),
    "2" => array(IMG_FILTER_GRAYSCALE, 0),
    "3" => array(IMG_FILTER_BRIGHTNESS, 1),
    "4" => array(IMG_FILTER_CONTRAST, 1),
    "5" => array(IMG_FILTER_COLORIZE, 4),
    "6" => array(IMG_FILTER_EDGEDETECT, 0),
    "7" => array(IMG_FILTER_EMBOSS, 0),
    "8" => array(IMG_FILTER_GAUSSIAN_BLUR, 0),
    "9" => array(IMG_FILTER_SELECTIVE_BLUR, 0),
    "10" => array(IMG_FILTER_MEAN_REMOVAL, 0),
    "11" => array(IMG_FILTER_SMOOTH, 0),
);

// sort out image source
$src = get_request("src", "");
if($src == "" || strlen($src) <= 3) {
    displayError("no image specified");
}

// clean params before use
$src = cleanSource($src);
// last modified time (for caching)
$lastModified = filemtime($src);

// get properties
$new_width         = preg_replace("/[^0-9]+/", "", get_request("w", 0));
$new_height     = preg_replace("/[^0-9]+/", "", get_request("h", 0));
$zoom_crop         = preg_replace("/[^0-9]+/", "", get_request("zc", 1));
$quality         = preg_replace("/[^0-9]+/", "", get_request("q", 80));
$filters        = get_request("f", "");

if ($new_width == 0 && $new_height == 0) {
    $new_width = 100;
    $new_height = 100;
}

// set path to cache directory (default is ./cache)
// this can be changed to a different location
$cache_dir = './cache';

// get mime type of src
$mime_type = mime_type($src);

// check to see if this image is in the cache already
check_cache( $cache_dir, $mime_type );

// if not in cache then clear some space and generate a new file
cleanCache();

ini_set('memory_limit', "30M");

// make sure that the src is gif/jpg/png
if(!valid_src_mime_type($mime_type)) {
    displayError("Invalid src mime type: " .$mime_type);
}

// check to see if GD function exist
if(!function_exists('imagecreatetruecolor')) {
    displayError("GD Library Error: imagecreatetruecolor does not exist");
}

if(strlen($src) && file_exists($src)) {

    // open the existing image
    $image = open_image($mime_type, $src);
    if($image === false) {
        displayError('Unable to open image : ' . $src);
    }

    // Get original width and height
    $width = imagesx($image);
    $height = imagesy($image);
    
    // don't allow new width or height to be greater than the original
    if( $new_width > $width ) {
        $new_width = $width;
    }
    if( $new_height > $height ) {
        $new_height = $height;
    }

    // generate new w/h if not provided
    if( $new_width && !$new_height ) {
        
        $new_height = $height * ( $new_width / $width );
        
    } elseif($new_height && !$new_width) {
        
        $new_width = $width * ( $new_height / $height );
        
    } elseif(!$new_width && !$new_height) {
        
        $new_width = $width;
        $new_height = $height;
        
    }
    
    // create a new true color image
    $canvas = imagecreatetruecolor( $new_width, $new_height );
    imagealphablending($canvas, false);
    // Create a new transparent color for image
    $color = imagecolorallocatealpha($canvas, 0, 0, 0, 127);
    // Completely fill the background of the new image with allocated color.
    imagefill($canvas, 0, 0, $color);
    // Restore transparency blending
    imagesavealpha($canvas, true);

    if( $zoom_crop ) {

        $src_x = $src_y = 0;
        $src_w = $width;
        $src_h = $height;

        $cmp_x = $width  / $new_width;
        $cmp_y = $height / $new_height;

        // calculate x or y coordinate and width or height of source

        if ( $cmp_x > $cmp_y ) {

            $src_w = round( ( $width / $cmp_x * $cmp_y ) );
            $src_x = round( ( $width - ( $width / $cmp_x * $cmp_y ) ) / 2 );

        } elseif ( $cmp_y > $cmp_x ) {

            $src_h = round( ( $height / $cmp_y * $cmp_x ) );
            $src_y = round( ( $height - ( $height / $cmp_y * $cmp_x ) ) / 2 );

        }
        
        imagecopyresampled( $canvas, $image, 0, 0, $src_x, $src_y, $new_width, $new_height, $src_w, $src_h );

    } else {

        // copy and resize part of an image with resampling
        imagecopyresampled( $canvas, $image, 0, 0, 0, 0, $new_width, $new_height, $width, $height );

    }
    
    if ($filters != "") {
        // apply filters to image
        $filterList = explode("|", $filters);
        foreach($filterList as $fl) {
            $filterSettings = explode(",", $fl);
            if(isset($imageFilters[$filterSettings[0]])) {
            
                for($i = 0; $i < 4; $i ++) {
                    if(!isset($filterSettings[$i])) {
                        $filterSettings[$i] = null;
                    }
                }
                
                switch($imageFilters[$filterSettings[0]][1]) {
                
                    case 1:
                    
                        imagefilter($canvas, $imageFilters[$filterSettings[0]][0], $filterSettings[1]);
                        break;
                    
                    case 2:
                    
                        imagefilter($canvas, $imageFilters[$filterSettings[0]][0], $filterSettings[1], $filterSettings[2]);
                        break;
                    
                    case 3:
                    
                        imagefilter($canvas, $imageFilters[$filterSettings[0]][0], $filterSettings[1], $filterSettings[2], $filterSettings[3]);
                        break;
                    
                    default:
                    
                        imagefilter($canvas, $imageFilters[$filterSettings[0]][0]);
                        break;
                        
                }
            }
        }
    }
    
    // output image to browser based on mime type
    show_image($mime_type, $canvas, $cache_dir);
    
    // remove image from memory
    imagedestroy($canvas);
    
} else {

    if(strlen($src)) {
        displayError("image " . $src . " not found");
    } else {
        displayError("no source specified");
    }
    
}

/**
 * 
 */
function show_image($mime_type, $image_resized, $cache_dir) {

    global $quality;

    // check to see if we can write to the cache directory
    $is_writable = 0;
    $cache_file_name = $cache_dir . '/' . get_cache_file();

    if(touch($cache_file_name)) {
        
        // give 666 permissions so that the developer 
        // can overwrite web server user
        chmod($cache_file_name, 0666);
        $is_writable = 1;
        
    } else {
        
        $cache_file_name = NULL;
        header('Content-type: ' . $mime_type);
        
    }

    $quality = floor($quality * 0.09);

    imagepng($image_resized, $cache_file_name, $quality);
    
    if($is_writable) {
        show_cache_file($cache_dir, $mime_type);
    }

    imagedestroy($image_resized);
    
    displayError("error showing image");

}

/**
 * 
 */
function get_request( $property, $default = 0 ) {
    
    if( isset($_REQUEST[$property]) ) {
    
        return $_REQUEST[$property];
        
    } else {
    
        return $default;
        
    }
    
}

/**
 * 
 */
function open_image($mime_type, $src) {

    if(stristr($mime_type, 'gif')) {
    
        $image = imagecreatefromgif($src);
        
    } elseif(stristr($mime_type, 'jpeg')) {
    
        @ini_set('gd.jpeg_ignore_warning', 1);
        $image = imagecreatefromjpeg($src);
        
    } elseif( stristr($mime_type, 'png')) {
    
        $image = imagecreatefrompng($src);
        
    }
    
    return $image;

}

/**
 * clean out old files from the cache
 * you can change the number of files to store and to delete per loop in the defines at the top of the code
 */
function cleanCache() {

    $files = glob("cache/*", GLOB_BRACE);
    
    $yesterday = time() - (24 * 60 * 60);
    
    if (count($files) > 0) {
        
        usort($files, "filemtime_compare");
        $i = 0;
        
        if (count($files) > CACHE_SIZE) {
            
            foreach ($files as $file) {
                
                $i ++;
                
                if ($i >= CACHE_CLEAR) {
                    return;
                }
                
                if (filemtime($file) > $yesterday) {
                    return;
                }
                
                unlink($file);
                
            }
            
        }
        
    }

}

/**
 * compare the file time of two files
 */
function filemtime_compare($a, $b) {

    return filemtime($a) - filemtime($b);
    
}

/**
 * determine the file mime type
 */
function mime_type($file) {

    if (stristr(PHP_OS, 'WIN')) { 
        $os = 'WIN';
    } else { 
        $os = PHP_OS;
    }

    $mime_type = '';

    if (function_exists('mime_content_type')) {
        $mime_type = mime_content_type($file);
    }
    
    // use PECL fileinfo to determine mime type
    if (!valid_src_mime_type($mime_type)) {
        if (function_exists('finfo_open')) {
            $finfo = finfo_open(FILEINFO_MIME);
            $mime_type = finfo_file($finfo, $file);
            finfo_close($finfo);
        }
    }

    // try to determine mime type by using unix file command
    // this should not be executed on windows
    if (!valid_src_mime_type($mime_type) && $os != "WIN") {
        if (preg_match("/FREEBSD|LINUX/", $os)) {
            $mime_type = trim(@shell_exec('file -bi "' . $file . '"'));
        }
    }

    // use file's extension to determine mime type
    if (!valid_src_mime_type($mime_type)) {

        // set defaults
        $mime_type = 'image/png';
        // file details
        $fileDetails = pathinfo($file);
        $ext = strtolower($fileDetails["extension"]);
        // mime types
        $types = array(
             'jpg'  => 'image/jpeg',
             'jpeg' => 'image/jpeg',
             'png'  => 'image/png',
             'gif'  => 'image/gif'
         );
        
        if (strlen($ext) && strlen($types[$ext])) {
            $mime_type = $types[$ext];
        }
        
    }
    
    return $mime_type;

}

/**
 * 
 */
function valid_src_mime_type($mime_type) {

    if (preg_match("/jpg|jpeg|gif|png/i", $mime_type)) {
        return true;
    }
    
    return false;

}

/**
 * 
 */
function check_cache($cache_dir, $mime_type) {

    // make sure cache dir exists
    if (!file_exists($cache_dir)) {
        // give 777 permissions so that developer can overwrite
        // files created by web server user
        mkdir($cache_dir);
        chmod($cache_dir, 0777);
    }

    show_cache_file($cache_dir, $mime_type);

}

/**
 * 
 */
function show_cache_file($cache_dir) {

    $cache_file = $cache_dir . '/' . get_cache_file();

    if (file_exists($cache_file)) {
        
        $gmdate_mod = gmdate("D, d M Y H:i:s", filemtime($cache_file));
        
        if(! strstr($gmdate_mod, "GMT")) {
            $gmdate_mod .= " GMT";
        }
        
        if (isset($_SERVER["HTTP_IF_MODIFIED_SINCE"])) {
        
            // check for updates
            $if_modified_since = preg_replace("/;.*$/", "", $_SERVER["HTTP_IF_MODIFIED_SINCE"]);
            
            if ($if_modified_since == $gmdate_mod) {
                header("HTTP/1.1 304 Not Modified");
                exit;
            }

        }
        
        $fileSize = filesize($cache_file);
        
        // send headers then display image
        header("Content-Type: image/png");
        header("Accept-Ranges: bytes");
        header("Last-Modified: " . $gmdate_mod);
        header("Content-Length: " . $fileSize);
        header("Cache-Control: max-age=9999, must-revalidate");
        header("Expires: " . $gmdate_mod);
        
        readfile($cache_file);
        
        exit;

    }
    
}

/**
 * 
 */
function get_cache_file() {

    global $lastModified;
    static $cache_file;
    
    if(!$cache_file) {
        $cachename = $_SERVER['QUERY_STRING'] . VERSION . $lastModified;
        $cache_file = md5($cachename) . '.png';
    }
    
    return $cache_file;

}

/**
 * check to if the url is valid or not
 */
function valid_extension ($ext) {

    if (preg_match("/jpg|jpeg|png|gif/i", $ext)) {
        return TRUE;
    } else {
        return FALSE;
    }
    
}

/**
 * tidy up the image source url
 */
function cleanSource($src) {

    // remove slash from start of string
    if(strpos($src, "/") == 0) {
        $src = substr($src, -(strlen($src) - 1));
    }

    // remove http/ https/ ftp
    $src = preg_replace("/^((ht|f)tp(s|):\/\/)/i", "", $src);
    // remove domain name from the source url
    $host = $_SERVER["HTTP_HOST"];
    $src = str_replace($host, "", $src);
    $host = str_replace("www.", "", $host);
    $src = str_replace($host, "", $src);

    // don't allow users the ability to use '../' 
    // in order to gain access to files below document root

    // src should be specified relative to document root like:
    // src=images/img.jpg or src=/images/img.jpg
    // not like:
    // src=../images/img.jpg
    $src = preg_replace("/\.\.+\//", "", $src);
    
    // get path to image on file system
    $src = get_document_root($src) . '/' . $src;    

    return $src;

}

/**
 * 
 */

function get_document_root ($src) {

    // check for unix servers
    if(@file_exists($_SERVER['DOCUMENT_ROOT'] . '/' . $src)) {
        return $_SERVER['DOCUMENT_ROOT'];
    }
    
    // check from script filename (to get all directories to timthumb location)
    $parts = array_diff(explode('/', $_SERVER['SCRIPT_FILENAME']), explode('/', $_SERVER['DOCUMENT_ROOT']));
    $path = $_SERVER['DOCUMENT_ROOT'] . '/';
    foreach ($parts as $part) {
        $path .= $part . '/';
        if (file_exists($path . $src)) {
            return $path;
        }
    }    
    
    // the relative paths below are useful if timthumb is moved outside of document root
    // specifically if installed in wordpress themes like mimbo pro:
    // /wp-content/themes/mimbopro/scripts/timthumb.php
    $paths = array(
        ".",
        "..",
        "../..",
        "../../..",
        "../../../..",
        "../../../../.."
    );
    
    foreach($paths as $path) {
        if(@file_exists($path . '/' . $src)) {
            return $path;
        }
    }
    
    // special check for microsoft servers
    if(!isset($_SERVER['DOCUMENT_ROOT'])) {
        $path = str_replace("/", "\\", $_SERVER['ORIG_PATH_INFO']);
        $path = str_replace($path, "", $_SERVER['SCRIPT_FILENAME']);
        
        if( @file_exists( $path . '/' . $src ) ) {
            return $path;
        }
    }    
    
    displayError('file not found ' . $src);

}

/**
 * generic error message
 */
function displayError($errorString = '') {

    header('HTTP/1.1 400 Bad Request');
    die($errorString);
    
}
?>

----------------
vs. the new version here:

http://timthumb.googlecode.com/svn/trunk/timthumb.php

[adew]

Version 2.0 was a complete rewrite, therefore the code will look different. You don't have to edit anything - just replace the old timthumb file with the new one.

[nazzman]

Here is some background from

Matt Mulllenweeg's blog.

[farpointmedia]

Yeah, I'd stumbled across Mark Maunder's forensics posts talking about what he'd discovered, and while updating a couple client sites, I'd completely forgotten that Lifestyle classic used it, and that I'd added it to a site I'd done with Magazine classic.

So I updated timthumb where needed, and even removed it on a couple of my personal sites, since I'm in mid-update with new themes for those, and will have to run Regenerate Thumbnails when I transition anyway

I'm not sure why Mullenweg'd be taking a backhanded swipe at premium themes and the use of timthumb; starting in 2005-6, 4 of the first 7 WordPress websites I ever did were based on mimbo and arthemia, both of which were free at the time, and also used timthumb.

Premium themes were barely just coming on the scene back then, and having seen plugins come and go, I was concerned that someone with a premium theme might also become fly-by-night, leaving us in the lurch. The original Revolution themes changed my mind about that, real quick.

That said, much love to my Revolution/Studio Press peeps. The websites for my shows wouldn't have been nearly so easy to get going without you guys and gals.

[adew]

Quote:

Originally Posted by farpointmedia

I'm not sure why Mullenweg'd be taking a backhanded swipe at premium themes and the use of timthumb; starting in 2005-6, 4 of the first 7 WordPress websites I ever did were based on mimbo and arthemia, both of which were free at the time, and also used timthumb.

I agree, I thought that his comments were misplaced. I think Mimbo was the first "magazine" theme I ever used, too! Then I discovered Revolution...

[adew]

Since this is resolved, I'll close the thread.