[Security] TimThumb vulnerability – WordPress
Tuesday, August 2nd, 2011 - Security
UPDATE Aug 2, 2011 02:29PM CDT — If you want to know if your website is vulnerable to this. Open a support ticket and our technicians will look at your account and work with you to minimize this threat.
A security issue has been disclosed in the TimThumb project. This vulnerability allows a hacker or malicious user to hack into your account.
Information about this vulnerability and a disclosure is at:
Zero Day Vulnerability in many WordPress Themes
This vulnerability is in the timthumb.php file, and is included in a lot of WordPress themes (though it is not necessarily exclusive to WordPress scripts/themes).
Really this should be addressed by the WordPress theme creators, whoever wrote the WordPress theme you may be using for your WordPress script. Or it should be addressed by the developer of whatever application you are using. However, as an end-user YOU will need to be responsible and update your theme or your script to resolve this issue. A developer that releases a new version to fix this insecurity will do you absolutely no good, unless you explicitly upgrade the theme or script.
There is an update to the timthumb.php file, version 1.34, that fixes this insecurity, and that file is posted on Google Code:
http://code.google.com/p/timthumb
At this time, I am mixed on how to react to this. We have a lot of WordPress scripts on our servers. I am afraid that not many of these users will update their themes to fix this issue, or perhaps the theme makers themselves will not release a fix for this in a timely manner. This will result in a lot of WordPress scripts being hacked. I can disable the timthumb.php file on the servers, this would mean any website that uses the timthumb.php file would stop functioning correctly, but it would keep save those accounts from being hacked and compromised. Right now, I am probably going to wait and see how the theme makers respond to this issue, and hope that they act accordingly and that WordPress and TimThumb users act responsibly and keep their scripts and themes up-to-date.
For WordPress users, I would recommend that you contact the developer or vendor (the website that you downloaded or purchased your WordPress theme from) and ask them if they are aware of this vulnerability, if it applies to your WordPress theme, and what their plans are for fixing this issue.
Steven