Image Manipulation Script Vulnerabilities

Yesterday, Mark Maunder published a blog post making people aware of a vulnerability in the popular PHP image manipulation script TimThumb. Anyone that uses TimThumb should definitely read that article to make sure that the vulnerability gets patched. Almost a year ago, though, I posted (and I was far from the first) about a vulnerability in another extremely popular PHP image manipulation script; phpThumb.

Although it’s disappointing to see these types of issues arise in popular software, it really shouldn’t come as a major shock. Both of these scripts are extremely powerful, and, as we all learned from Spiderman, “with great power comes great responsibility.” In this case, that means that we, as users, need to be especially vigilant when using something that performs such complicated tasks so easily.

I am very happy to see that the author of TimThumb jumped on this issue so quickly (the phpThumb vulnerability went unpatched for over a year with no action from the author). It does look, though, like the author finally released a new version that supposedly patches the issue in April of this year.

The bottom line is that, whenever you use any kind of script on your server, especially one as powerful as TimThumb, phpThumb or even WordPress, it is extremely important to keep the scripts updated to the latest versions, to continuously monitor any news (especially security bulletins) about the script and, to a lesser extent, try to understand as much as possible what the script actually does.

You can grab the latest version of TimThumb from its Google Code project page and you can grab the latest version of phpThumb from its Sourceforge project page. Be forewarned, though, that these scripts might both still contain vulnerabilities; and make sure you stay on top of any security bulletins about both.

In addition, I wouldn’t recommend using either of these scripts if you don’t need them. If you simply need to resize images and are using WordPress as your blogging system or CMS, use the built-in functionality in WordPress. Even it does include vulnerabilities, WordPress can be patched much more easily than phpThumb or TimThumb, and you are still working with a single set of code, so there are fewer areas open to vulnerabilities. The only reasons I can imagine that you should use TimThumb or phpThumb instead of the built-in WordPress image manipulation functions would be:

  1. You need images to be cropped from a region other than the center of the image
  2. You need the images to be resized instantly and dynamically (though, that might just be poor planning)
  3. You need to modify the images by adding filters to them (such as a watermark)
  4. You need to enlarge images (though, really, you shouldn’t be enlarging images programmatically – the quality will degrade just as much as it would to simply display the original image at a larger size using CSS or HTML attributes, and the file size will obviously increase)

If you don’t need any of those features, you should probably investigate using the WordPress image API rather than trying to use a separate script. You can use the add_image_size() function to register a new image size (cropped or proportional); you can use the wp_get_attachment_image_src() function to retrieve an image at any size (you can provide a registered image-size name, or you can provide an array of width and height to retrieve the nearest-sized image and size it using CSS or HTML); and you can use a plugin like Regenerate Thumbnails to clear out the existing cache of images and recreate all of the images at the newly registered sizes.