post-page

TimThumb Security Vulnerability

6
responses
heading
heading
heading
6
Responses

 

Comments

  1. Oliver says:

    Hi, thanks for the info.

    Just my 0.02$, I think you’d be making the community a service with an additional information : how can we MANUALLY check if our theme resorts to the TimThumb function, or not.

    • Network Geek (21 comments.) says:

      Did you check the links in the post? If you follow the link to the listed themes, you’ll notice a pattern that may help you determine whether or not the theme you use includes TimThumb. It’s not a *definitive* answer, to be sure, but it looks like most of the effected themes include a “timthumb.php” file. Also, since it makes a cache directory that’s being exploited, it seems like if the theme in question has made an image cache directory, you might want to dig a little deeper into the code to find out for sure.

      Also, the link to the person who found the vulnerability includes “a fix and instructions to detect any lingering hacks.”
      So, that seems like it would have the answer to your concern.

  2. Aarav (1 comments.) says:

    Thanks for this post. I just checked out the article at vaultpress and modified my blog accordingly. After having my blog hacked just last month I am getting real active in finding posted vulnerabilities and taking corrective action, something I was lazy about earlier and paid for it the hard way…

  3. Robert says:

    The plugin WP Mobile Detector also uses the timthumb script

  4. Parag (1 comments.) says:

    It would be nice if we could use add_image_size in the same fashion, but that only impacts images uploaded after the fact… with the dynamic resizing we can set the sizes at any time….

  5. Robert says:

    Had lost 2 hours on this. Here is my solution:

    Server didn’t return the right DOCUMENT_ROOT, so in thumb.php I had to add

    $_SERVER[“DOCUMENT_ROOT”] = ‘/domains/www/public_html';

    In my case I’ve looked for the DOCUMENT_ROOT with
    echo getcwd();



Obviously Powered by WordPress. © 2003-2013

page counter
css.php