TimThumb script that’s used to make thumbnails for many wordpress themes. including this one, has a security vulnerability. (WpCandy, Vaultpress, Sucury.)
[quote cite="John Ford, Vaultpress"]“The vulnerability allows third parties to upload and execute arbitrary PHP code in the TimThumb cache directory. Once the PHP code has been uploaded and executed, your site can be compromised however the attacker likes.” [/quote]
My response to it is $%^#@! The script is built into the theme. I have edited it to prevent arbitrary file upload but I really need to disable it all together and removing it breaks the theme. I don’t want to upload a new theme. I like this theme. I like the giant menu and the featured posts carousel. I like the home page layout.
:rocks back and forth:
It seems that either we can have a commercial theme with fancy bells and whistles and have problems, or we can have something very simple like hybrid, but have no security problems.
That sucks!
I’ve been using the 2011 theme for a few weeks now. I need to poke into the code and customize more, but it’s a pretty straight forward theme overall and seems like it would be easy to tweak.
Normally, I don’t mind poking into code. Right now, though, it seems like pushing semi up the mountain. I’ll do it. I just don’t like it. And I like my damn giant menu.
I might just buy the uber-menu plugin and save myself the pain of trying to figure out how to do it.
Ilona, with all the software problems, moving, having a husband, teenage girls, being in Texas, I am just in awe you manage to do any writing at all.
You aren’t sleeping, are you.
Ew!
I like this layout!
Destroy the nasty script w/ Slayer!! uh, sorry, I got carried away
You’ll figure out something, you always do!
According to http://markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/ , you’re only vulnerable if your timthumb.php has entries in the `$allowedSites` array; you should probably also disallow scripts within the cache directory via something like the `Options -ExecCGI` Apache directive
the current version of the script (available from http://code.google.com/p/timthumb/ ) also uses a the .txt extension for any cached files, making them non-executable in standard server configurations; however, I still recommend to disallow scripting in the cache directory via server configuration
I nuked the array this morning. (That’s when I caught up on wordpress reading.) And I made sure that define( ‘ALLOW_EXTERNAL’, false );
“you should probably also disallow scripts within the cache directory via something like the `Options -ExecCGI` Apache directive”
Thank you! This is a little above my head, but I will goggle it tonight and try to make it happen.
It’s been a long time since I’ve done any web development, and I never had to administer a server myself, so there might be a better way to handle the issue, but this is how I’d do it:
Placing the following snippet within the global server configuration file (normally called `httpd.conf`) should prevent malicious code from executing:
# disallow changing options with a .htaccess file within the cache directory
AllowOverride None
# disable all extra features, including CGI scripting
# prevents malicious code from running
Options None
# don’t let users browse cached files
# prevents the attacker from triggering script execution
Deny from all
# explicitly disable php – shouldn’t be necessary, but just in case
php_flag engine off
If you don’t have access to the server configuration, you could take the lines within and place them into a file called `.htaccess` in the cache directory. However, this is the inferior solution from a security standpoint.
the comment filter ate part of the code – should have looked like this: http://pastebin.com/raw.php?i=HeQbgQMt
Thank you!
I do have to wonder about the need for TimThumb in commercial themes. Why not use the WordPress resizing? I would’ve rather paid more for the theme but had it secure.
I’m so computer ignorant that this is all over my head, but I do yeally like your layout. I hope you can save it without too much work.
I don’t know up from down on what this is all about, but I can say, Ilona your sad little chibi is precious.;)
I 2nd Wont. Where are you getting all the awesome Ilona & Gordon chibis? I know you’d posted a link a while back, but did that person do all of these different poses for you?
Ilona and Christoph are more smarterer than me.
I think Christoph is much more smarterer than both of us. :sigh:
I feel as though my brain exploded. I may have a PhD in chem – but I am blonde in this LOL
Good luck!
Ouch, my brain hurts now. *L*
It’s seems like “fighting with WP” is like banging your head against a wall. I just use it for a small PTA website and it drives me batty! Couldn’t imagine using it for something as cool as this site. I feel for you.
will there be another Curran P.O.V. coming out soon (hannah words not mine i’m just kid 1 in the family)
I’ll be back with a link to the code to change, it’s really, really easy Ilona
http://wpmu.org/timthumb-zero-day-vulnerability-affects-hundreds-of-wordpress-themes/
I went into my editor and my timthumb.php folder and deleted the entire code and replaced with the new updated code.
Aww I’m sorry you have theme problems
Hopefully these smart people offering wise suggestions have been able to help you though!
Go to page:
http://timthumb.googlecode.com/svn/trunk/timthumb.php
Read the comments there if you want to customize some features befor you use it to replace the code on your themes which include timthumb.php.
On your blog’s dashboard, go to Appearance > editor > thumb.php. Then, do Control A over the code, then, delete all the code.
Replace the deleted code with the one provided on the page mentioned above (or the customized copy)
Save Changes.
Do that to all the themes that include
timthumb.php
Hope that helps,
Hector Vargas
Hector Vargas recently posted..How to Learn Spanish Verbs