Timthumb must not use web accessible dir as cache

[GoogleCodeExporter]

As long as timthumb requires a web server to have a writable directory under 
it's doc_root, it's going to be insecure. 

Original issue reported on code.google.com by mmaun...@gmail.com on 2 Aug 2011 at 7:53

[GoogleCodeExporter]

Technically TimThumb doesn't require this. change the cache directory in the 
code to whatever you like. Of course that's not a perfect solution (or even a 
sensible solution), but it is possible.

That said, I agree with the concept of hiding the cache directory, but I am not 
sure how to do this in a way that will work consistently on all servers. For 
instance I tried to use sys_get_temp_dir on my test server and it said I didn't 
have permission to write to that directory. This may be an unusual case but 
TimThumb should always work on a default server setup.

Need to think on this. Open to any suggestions you have

Original comment by BinaryMoon on 3 Aug 2011 at 2:11

• Changed state: Started

[GoogleCodeExporter]

I'm not sure I fully agree with the statement about the writable folder always 
making timthumb always insecure. Yes, it's not advisable though.

Another direction to resolve this would be to make the cache file names 
unpredictable to an outsider. Currently the md5 hash is performed using known 
parameters, but if you throw a secret (but consistent) parameter into the mix - 
you effectively make the filename extremely difficult (in practical terms, 
impossible) to guess.

For the secret element - on wordpress you can use one of the secret strings in 
wp-config (NONCE_KEY, SECURE_AUTH_KEY etc). If those are not accessible you can 
even generate one when timthumb is installed and store it in a file that won't 
expose it (perhaps an include php file with only one define statement?).

p.s. If you wish to make the hash generation even better, then use hmac (e.g. 
with sha1) instead of md5. There are some attacks on naiive secret-key hashes 
which hmac handles for you and it's still very fast.

Original comment by y...@gingerlime.com on 5 Aug 2011 at 8:03

[GoogleCodeExporter]

I'm chatting to Ben about bringing in wordthumb to timthumb as version 2, so I 
thought I'd post here...

I've switched back to a public cache for compatibility. 

I'm using salting the md5's with the mtime of the script and it's inode. 

I'm also prepending a fixed length <?php die("Execution denied!"); ?> record to 
the start of every cached image and stripping it off when serving them.

So all this combined with .txt file extensions makes me fairly confident it's 
secure, even if a hacker can get a directoryIndex on a badly configured server.

It's available on the download page of http://code.google.com/p/wordthumb/ but 
code.google won't let me do a push right now - seems to be down. So trunk still 
has older code in it. 

Original comment by mmaun...@gmail.com on 5 Aug 2011 at 6:53

[GoogleCodeExporter]

ok code.google is back up so the source is here:
http://code.google.com/p/wordthumb/source/browse/wordthumb.php
See:
line 144 where the salt is created
line 208 where the salt is used
lin 633 which creates a temporary file to add the fixed length record because 
imagejpeg and friends dont work with filehandles. 
line 816 where I strip the record back off before serving and do it without 
slurping the whole file into memory. 

Original comment by mmaun...@gmail.com on 5 Aug 2011 at 7:08

[GoogleCodeExporter]

Web accessible cache is now secure.

Original comment by mmaun...@gmail.com on 5 Aug 2011 at 10:23

• Changed state: Fixed