TimThumb Vulnerability (again)

TimThumb Vulnerability (again)

After the first TimThumb vulnerability which allowed image thumbnails to be uploaded containing code that can be executed which resulted in millions of websites being infected, another vulnerability has been found.

The TimThumb webshot feature allows commands to be executed without any authorization! This can include creating, editing or removing any files on your server.

TimThumb is used within many themes and plugins that are active today. WooThemes seem to use TimThumb in almost all of their themes.

Don’t panic just yet as the webshot feature is disabled by default in all WooThemes as well as most other themes and plugins that use it.

How to protect yourself

You can run the following command to locate any vulnerable files:

find / -name '*.php' -exec grep WEBSHOT_ENABLED {} ;

Add the following to your wp-config.php to disable webshot:

define (‘WEBSHOT_ENABLED’, false);

If you are effected, check with the theme or plugin developer to see when they will release an update.

Advice from TimThumb Developers

“Don’t use TimThumb”

“I no longer maintain it”

“there’s just better ways now”

“WordPress has had support for post thumbnails for ages now – and I use these all the time in my themes. I haven’t used TimThumb in a WordPress theme since before the previous TimThumb security exploit in 2011.”

View the announcement from TimThumb developers.

No Comments

Post A Comment