[Security] TimThumb disablings


Tuesday, September 27th, 2011 - Security

As we have documented in previous posts (here and here) an exploit is making its way through the Internet in a security hole in the popular TimThumb addon. TimThumb is common in many WordPress themes.

Lately we have been seeing a lot of hacks as a result of this vulnerability. So many in fact that we are going to have to take measures to protect our servers and our clients from this vulnerability.

Starting today, September 27th 2011, we will be going through the servers and disabling any outdated TimThumb scripts that we find. This may have the adverse affect of disabling the thumbnails and thumbnail creation of your images in your WordPress blog or other scripts. We apologize for this, but the alternative is to risk having your account hacked into through this vulnerability.

WordPress users need to contact the developers of whatever theme they are using on their blog and insure that they are aware of this TimThumb vulnerability. The fix for this vulnerability will have to come from your theme developer. If the theme you are using is no longer being maintained, then this should be red flag that this is not a theme you should be using. If the developer refuses to include the updated TimThumb in their theme, then this should also be a red flag for you.

The purpose of all of this is to protect your webhosting account and keep your account from being hacked into.

Steven