Just my 0.02$, I think you’d be making the community a service with an additional information : how can we MANUALLY check if our theme resorts to the TimThumb function, or not.
Did you check the links in the post? If you follow the link to the listed themes, you’ll notice a pattern that may help you determine whether or not the theme you use includes TimThumb. It’s not a *definitive* answer, to be sure, but it looks like most of the effected themes include a “timthumb.php” file. Also, since it makes a cache directory that’s being exploited, it seems like if the theme in question has made an image cache directory, you might want to dig a little deeper into the code to find out for sure.
Also, the link to the person who found the vulnerability includes “a fix and instructions to detect any lingering hacks.”
So, that seems like it would have the answer to your concern.
Thanks for this post. I just checked out the article at vaultpress and modified my blog accordingly. After having my blog hacked just last month I am getting real active in finding posted vulnerabilities and taking corrective action, something I was lazy about earlier and paid for it the hard way…
It would be nice if we could use add_image_size in the same fashion, but that only impacts images uploaded after the fact… with the dynamic resizing we can set the sizes at any time….
James began using WordPress in 2004. Being new to WordPress (and blogging in general), he quickly found the WordPress Support Forums and basically never left. James currently resides in sunny Southern California, where he enjoys bringing happiness to millions of WordPress.com users.
Hi, thanks for the info.
Just my 0.02$, I think you’d be making the community a service with an additional information : how can we MANUALLY check if our theme resorts to the TimThumb function, or not.
Did you check the links in the post? If you follow the link to the listed themes, you’ll notice a pattern that may help you determine whether or not the theme you use includes TimThumb. It’s not a *definitive* answer, to be sure, but it looks like most of the effected themes include a “timthumb.php” file. Also, since it makes a cache directory that’s being exploited, it seems like if the theme in question has made an image cache directory, you might want to dig a little deeper into the code to find out for sure.
Also, the link to the person who found the vulnerability includes “a fix and instructions to detect any lingering hacks.”
So, that seems like it would have the answer to your concern.
Thanks for this post. I just checked out the article at vaultpress and modified my blog accordingly. After having my blog hacked just last month I am getting real active in finding posted vulnerabilities and taking corrective action, something I was lazy about earlier and paid for it the hard way…
The plugin WP Mobile Detector also uses the timthumb script
It would be nice if we could use add_image_size in the same fashion, but that only impacts images uploaded after the fact… with the dynamic resizing we can set the sizes at any time….
Had lost 2 hours on this. Here is my solution:
Server didn’t return the right DOCUMENT_ROOT, so in thumb.php I had to add
$_SERVER[“DOCUMENT_ROOT”] = ‘/domains/www/public_html';
In my case I’ve looked for the DOCUMENT_ROOT with
echo getcwd();