RSS Feed Twitter

Sunday, January 29, 2012

Timthumb is the most popular image re-sizing script used in many WordPress themes and plugins. Recently a security vulnerability was found in it. This security vulnerability allowed anyone to upload any php file into the Timthumb cache directory and execute it to compromise the site.
One way to fix this security issue with timthumb is to NOT use timthumb at all. Just delete it. But make sure that your theme or plugin can work without it.
In case your theme or plugin depend on timthumb heavily and you must use it, then here’s the procedure to fix this security vulnerability.
• First download the latest version of timthumb from this link. Rename it from timthumb.php.txt to timthumb.php.
• Open this newly downloaded file and make sure that ALLOW_EXTERNAL is set to false.
define( 'ALLOW_EXTERNAL', false );
• Now make sure that the $allowedSites array is empty. In your new timthumb file, you will probably find this code,
$allowedSites = array(
    'flickr.com',
    'picasa.com',
    'img.youtube.com',
);
Replace it with this code,
$allowedSites = array();
• Now upload this newly downloaded and modified timhumb.php file on your web server to replace the existing timthumb file with it.
That’s it. Now you can use timthumb script safely. If you have any questions related to the timthumb security vulnerability or the procedure to fix this issue, then post it below.
Labels:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

You can replace this text by going to "Layout" and then "Page Elements" section. Edit " About "

Twitter Delicious Facebook Digg Stumbleupon Favorites More
zoomtemplate.com
zoomtemplate.com zoomtemplate.com zoomtemplate.com
zoomtemplate.com