16 Comments

  1. Ryan Hellyer

    I guess this will be happening a long time into the future.

    Thanks for the link to http://codegarage.com/, I hadn’t heard of them before. Looks like an interesting service, although the “backups kept for 30 days” business seems a bit crappy. I’d want access to much older backups in case I didn’t notice a problem for more than 30 days (entirely possible if something subtle was altered).

    Report

  2. Stijn

    TimThumb exploits can be a pain in the ass. Took me nearly to weeks to really get to that bottom of it. And still, the problems only ended when I stopped using the script.

    Report

  3. chrismccoy

    i use/used a shell script that will download a fresh copy of timthumb for all sites that use it, was a way to replace it without a headache

    wget -q -O ~/newtim.php http://timthumb.googlecode.com/svn/trunk/timthumb.php
    find . -name “timthumb.php” -exec bash -c “echo patching {} && cp ~/newtim.php {}” \;
    rm ~/newtim.php

    Report

  4. Steve Bank

    This continues to expose issues with the THEME > PLUG-IN model that WordPress employs.

    If the core could handle a correlation between themes and the plug-ins, then frameworks and child-like functionalities could be updated without any harm to theme/template/core versioning.

    Sadly plug-in functionality is consistently overwritten by theme functionality, even when that has nothing to do with templating/front-end. It completely falls foul of the most basic MVC-type separation of data, formatting and processing. Thus almost every theme front-loads it’s functionality into the VIEW aspect rather than the CONTROLLER.

    For wordpress users who are not plugged in to the core or development, that makes it exceptionally difficult to keep both up to date and track of. In the short term (1 day) this was a TimThumb issue, in the long terms, it’s a WordPress Core issue about the management of it’s data. A decision that has completely gone the way of WP.com and bloggers.

    I’m secretly laughing because when I googled for an article I read which backed this up it came from “he who shall not be named” 14 months ago: http://kevinjohngallagher.com/2011/03/now-theme-disconnect/

    Report

  5. Mitch Canter

    I’ve had to de-hack quite a few of these, and I found a plug-in in the repository that will 1) Scan, 2) Fix, and 3) Alert you of any vulnerabilities.

    http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/

    Report

  6. Brian Krogsgard

    This is why it is important to use themes with auto-upgrade capabilities. It’s a good thing that Envato recently released a toolkit to help their theme developers use auto-upgrade notifications, as they are a huge source of themes that never get updated.

    http://notes.envato.com/general/envato-wordpress-toolkit/

    Report

  7. Peter Butler

    Hey Ryan –

    Peter from Codegarage here.

    We hear you. Longer backup retention periods in some form (i.e. daily backups to 30 days, monthly backups up to a year) is on our list, and I’m hoping we’ll have it implemented within the next 6 weeks or so. Thanks for having a look!

    Report

  8. Smokey Ardisson

    Be sure to read the tips that Dan and his security adviser provides on protecting your site.

    I’m not familiar with the eSarcasm site, so it’s not obvious to me where on that site to find these tips you’ve mentioned—and there doesn’t seem to be a direct link to them in your article :-(

    Report

  9. Michael

    This is why I stopped using the script all together. Why take the risk … it is always being updated, which is a pain and you are never sure if it is stable or not and for how long.

    Report

  10. TimThumb Vulnerability Still in the Wild « Weblog Tools Collection

    […] 10th, 2012 in WordPress The TimThumb vulnerability is still in the wild as another major site fell victim to it just yesterday. As sad as this situation may be, it just goes to show that some sites may still be running the […]

    Report

  11. Chip Bennett

    Note: the Theme Check Plugin will also alert that a Theme is using TimThumb.

    This is the Plugin used by the Theme Review Team, and TimThumb alerts as a warning-level notice, which means that a Theme with TimThumb bundled won’t even pass the Theme Repository uploader script checks. Themes using TimThumb are no longer accepted in the official repository, so if you want to be certain that you are not vulnerable, I recommend using a Theme from the official repository.

    Report

  12. Mitch Canter

    @Brian Krogsgard – It’s a little off topic, but there’s also a plugin called Theme Updater that will allow anyone who hosts their themes on Github to allow automatic updates through the use of Git Tags. That way any security patches can be fixed and pushed out even if the theme isn’t in the official Repo.

    I think that a non-repo third-party service that verifies themes that are deemed “safe” would be useful, especially since a lot of the best themes use non-GPL compliant parts (Shadowbox, Skeleton Framework, just to name a few)

    Report

  13. Brian Krogsgard

    @Mitch Canter – that’s a good one to note! thanks.

    Report

  14. Mitch Canter
  15. Erik

    Lol. I was just contracted to clean a multi site (192 subblogs total) hit with the timthumb exploit not more than 5 days ago… Problem was an out of date script in the nivio slider plugin (outdated version)… I was astounded that people don’t update regularly.. or backup for that matter..

    Funny thing is, that after the site was infected, it ran probes on a long list of dreamhost accounts for the same timthumb exploit…

    Report

  16. Pearson

    if you have ever used Swift Theme you need to check you image folder. I discovered Tim Thumb files left behind after I deleted the theme.

    Report

Comments are closed.

%d bloggers like this: