TimThumb was originally developed for use in the WordPress theme Mimbo Pro by Pro Theme Design, and development is currently run by Ben Gillbanks. The security issue was publicly announced by Mark Maunder, author of WordThumb, and soon he and Ben collaborated to release TimThumb v2 which fixed these security issues.
Ben was kind enough to allow us an interview with him, to gain more insight into the issue:
Thanks for taking the time for this interview Ben. Let’s talk about Timthumb. How did you first become aware of the Timthumb issue?
I first became aware of the issue when my own website was hacked through the TimThumb exploit. This happened a couple of days before the exploit became widely known. I very quickly added some fixes to try and close the hole, committing three improvements before things became public. Whilst they weren’t perfect fixes they did solve the issue. This meant that the recommended fix could have been replaced with ‘upgrade the code’.
Mark Maunder first announced the TimThumb issue publicly and then you collaborated on TimThumb v2.0. Mark Mullenweg has labelled your collaboration as: “a collaboration that exemplifies Open Source at its finest. What was the experience like collaborating with Mark on a solution?
After Mark announced the issue he created WordThumb, essentially a refactored, security hardened version of the original TimThumb script. He then asked me if I would consider merging the two. I ran WordThumb through my TimThumb test environment and after a handful of bug fixes we decided to publish it. The whole process only took a couple of hours, and we all ended up with a much stronger product to use in our projects.
Why did you not announce the issue publicly yourself first?
Honestly – I didn’t know what to do. My first instinct was to fix the exploit, so I did that as soon as I could. I then couldn’t decide whether to announce the issue to the world, or just to keep quiet. I totally understand that people needed to be made aware of the problem, but I also didn’t know how to do that without encouraging hackers. In the end Mark made the decision for me.
In hindsight I should have said something sooner but there’s not much I can do to change things now. I will know better next time (although I really hope nothing like this happens again!).
The Timthumb security issue affected a large part of the WordPress community, mostly because it is so widely used. The community rallied to resolve the issue in record time. What are your thoughts on the WordPress community after this incident?
I have always thought the WordPress community is fantastic. The support I have had has been amazing. Without the community, WordPress wouldn’t be where it is today and I am really pleased that people have been so understanding.
Where do you see TimThumb (or TimThumb 2.0) in the future?
I will continue to support TimThumb, and Mark has said he will continue as well – so now that there are two sets of eyes on the code it should become a lot stronger. There have already been a handful of improvements to the code that I have wanted to make for a while, and I hope for them to keep coming.
The biggest thing for me is less about TimThumb and more about how to broadcast issues like this to the public, and how to make people upgrade outdated software. I don’t know of any perfect answer to either of those at the moment but they are things I am considering as well.