10 responses

  1. Friend
    August 3, 2011

    So what’s the vulnerability? Is it only vulnerable if we have external domains added to $allowedSites?

  2. admin
    August 3, 2011

    Yes, at this point that is what is currently known to be vulnerable in it, however, as mentioned, the nature of the script functionality itself makes it risky, and plugins and/or themes will still add things to that list too. See the following for more information: http://markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/

  3. admin
    August 23, 2011

    For further support in cleaning this up if you have already been hacked because of it, see: http://redleg-redleg.blogspot.com/2011/08/malware-hosted-newportalsecom.html
    And: http://wordpress.org/support/topic/site-hacked-newportalsecom

  4. Mark’s Fat Burning Food and Fitness Blog
    August 27, 2011

    Hey guys,

    imagine you’re talking to someone who knows ZIP about all this (like I do), and he got a msg from the server to this extend:
    This is a courtesy notice that we have found exploitable timthumb.php file(s) on your account. It is highly recommended that you update these files to the latest available version to prevent possible compromise. This is best done by updating all scripts, plugins, modules and themes on your account to the latest version.

    What should I do?

    Thanks a bunch,

    Mark

  5. admin
    August 27, 2011

    Mark,
    You should do what it says.
    1) If you have themes or plugins that need to be upgraded, upgrade them.
    2) If you have any themes or plugins that you are not using, or that you can possibly afford to get rid of, get rid of them. Even if they are not in use, they still make your site vulnerable just by existing… delete them.
    3) Replace your outdated timthumb file.
    –3a – If you have SSH access, you can find all of your timthumb.php files with the following command: find ~/public_html -name timthumb.php
    (Note that there are other files with the same timthumb code which may not actually be named timthumb.php, so this is not an all-inclusive finder/fixer)
    –3b – You can replace your timthumb.php files with the code here: http://code.google.com/p/timthumb/source/browse/trunk/timthumb.php

  6. Neal
    August 27, 2011

    Thanks for all the info. Just wondering how I can check the php version of the timthumb.php file?

    Neal

  7. admin
    August 28, 2011

    You can see the version in the file. Here’s an example:

    define ('VERSION', '2.8');

  8. Chetan
    October 21, 2011

    It would be nice if we could use add_image_size in the same fashion, but that only impacts images uploaded after the fact… with the dynamic resizing we can set the sizes at any time….

  9. Agneta Nord
    March 24, 2012

    Check your log files, and especially the Raw Access Log for repeated access attempts to the same files in paths you don’t have.

    In the case of timthumb.php there are numerous of lines trying to access the file in my log.

    Look up the IP, and if it’s static, block it with whatever means you have.

  10. Blog Mark It
    August 20, 2012

    Well, this is new to me. but now I know that timthumb is so dangerous, especially for me, a newbie of wordpress. Now, i am trying to find the timthumb code in remove it anyway… thanks for the great lesson :)

Leave a Reply

 

 

 

Back to top
mobile desktop