PHPackages ctrbts/secure-timthumb - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Image & Media](/categories/media) 4. / 5. ctrbts/secure-timthumb ActiveLibrary[Image & Media](/categories/media) ctrbts/secure-timthumb ====================== A secure, modern, drop-in replacement for the legacy TimThumb PHP script. v3.0.0(5mo ago)02MITPHPPHP >=7.4 Since Nov 29Pushed 5mo agoCompare [ Source](https://github.com/ctrbts/secure-timthumb)[ Packagist](https://packagist.org/packages/ctrbts/secure-timthumb)[ RSS](/packages/ctrbts-secure-timthumb/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (1)DependenciesVersions (2)Used By (0) Secure TimThumb (Modern Refactor) ================================= [](#secure-timthumb-modern-refactor) A secure, modern rewrite of the `timthumb.php` script. This project aims to provide a drop-in replacement for legacy systems that still rely on TimThumb, mitigating the critical RCE and file inclusion vulnerabilities present in the original version. ⚠️ WARNING: This library is intended for legacy maintenance. For new projects, maybe you prefer a modern solutions like Intervention Image or cloud-based services. Key Security Improvements ------------------------- [](#key-security-improvements) - Strict MIME Type Checking: Uses finfo to validate magic bytes. Malicious files renamed to `.jpg` will be rejected. - No Webshots: The vulnerable `exec()` based website screenshot feature has been removed entirely. - External Sites Disabled by Default: Must be explicitly enabled via config. - SSRF Protection: cURL is restricted to HTTP/HTTPS protocols only to prevent internal network scanning. - Cache Execution Prevention: Automatically generates an `.htaccess` in the cache directory to prevent PHP execution. Installation ------------ [](#installation) ### Option A: [](#option-a) Composer (Recommended) ``` composer require ctrbts/secure-timthumb ``` ### Option B: [](#option-b) Drop-in Replacement (Manual) 1. Download `TimThumb.php` from this repository. 2. Replace your existing `timthumb.php` file. 3. Ensure the *cache* directory exists and is writable by the web server. Configuration ------------- [](#configuration) You can configure the script by instantiating the class with an array of options (if using as a library) or by editing the default config array at the top of the TimThumb.php file (if using as a standalone script). ``` // Example Configuration $config = [ 'allow_external' => true, 'allowed_sites' => ['flickr.com', 'staticflickr.com'], 'max_file_size' => 5242880, // 5MB ]; ``` Attribution & Transparency ------------------------------ [](#attribution--transparency) Maintainer: [Fernando Merlo](https://github.com/ctrbts)Original Authors: [Ben Gillbanks](https://github.com/bengillbanks) & [Mark Maunder](https://github.com/markmaunder) **Refactor Note:** This codebase was refactored with the assistance of AI tools to analyze historical security flaws and implement modern PHP security standards (PSR, Strict Types, Exception Handling). **Disclaimer:** This software is provided "as is", without warranty of any kind. Use at your own risk. ### Health Score 30 — LowBetter than 64% of packages Maintenance70 Regular maintenance activity Popularity2 Limited adoption so far Community6 Small or concentrated contributor base Maturity35 Early-stage or recently created project Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Unknown Total 1 Last Release 170d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/1e83cd72b239ebccdc11866d34d43cd2a8ea3ae0bc1b5c656706cc8f28e3e341?d=identicon)[ctrbts](/maintainers/ctrbts) --- Top Contributors [![ctrbts](https://avatars.githubusercontent.com/u/10442115?v=4)](https://github.com/ctrbts "ctrbts (2 commits)") --- Tags thumbnailsecurityimagegdTimThumblegacy-support ### Embed Badge ![Health badge](/badges/ctrbts-secure-timthumb/health.svg) ``` [![Health](https://phpackages.com/badges/ctrbts-secure-timthumb/health.svg)](https://phpackages.com/packages/ctrbts-secure-timthumb) ``` ### Alternatives [intervention/image PHP Image Processing 14.3k194.3M2.2k](/packages/intervention-image)[sybio/image-workshop Powerful PHP class using GD library to work easily with images including layer notion (like Photoshop or GIMP) 860918.1k11](/packages/sybio-image-workshop)[intervention/image-laravel Laravel Integration of Intervention Image 1536.5M102](/packages/intervention-image-laravel)[james-heinrich/phpthumb The PHP thumbnail generator 318516.1k6](/packages/james-heinrich-phpthumb)[folklore/image Image manipulation library for Laravel 5 based on Imagine and inspired by Croppa for easy url based manipulation 270248.2k5](/packages/folklore-image)[jbzoo/image A PHP class that simplifies working with images 171126.9k3](/packages/jbzoo-image) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)