follow tripawds on twitter FOLLOW TRIPAWDS  tripawds facebook fan page ARE YOU A FAN? » DISCUSSION FORUMS » LIVE CHAT » DIRECTORY » NEWS BLOG » RANDOM TRIPAWDS BLOG »

Behind the Scenes

How We Keep the Tripawds Wordpress Multisite Blog Network Hopping Along

How to Fix TimThumb Theme Script Security Exploit

August 3rd, 2011 · 1 Comment
Information

Tripawds is a user-supported community. Thank you for your support!

Don’t panic. Security Breach Averted!

I first learned about the zero day vulnerability affecting many WordPress themes today on LinkedIn. Plenty has been written about the security flaw found in the timthumb.php script used by many themes that could result in a serious security breach by allowing the upload of malicious scripts to your server. I won’t go into detail, because these fine folks already have:

See the above links for plenty of information, opinions, and fixes. I’ll just quickly outline what I did to ensure we remained safe here at Tripawds.

  1. Log in to cPanel account for domain
  2. Access File Manager
  3. Search all files for “timthumb”
  4. Note location of file(s) if found
  5. Delete timthumb.php*
  6. Repeat for any other domains

*Note: Deleting the TimThumb script may break certain themes, or at least affect how they manage and display images. I chose to just delete any themes using the script.

If you need the TimThumb script running on your site, upgrade to the latest version. This issue has already been addressed. If, like me, you find some merit in the many discussions about the safety – or lack thereof – of allowing any scripts on your server to access data from third party sites, then delete the file. Or, follow these steps to remove the vulnerability:

Line 21: Ensure this constant is false:
define ('ALLOW_EXTERNAL', FALSE); // allow external website (override security precaution - not advised!)

Line 27: Remove all domains from this array:
$allowedSites = array();

What the TimThumb Issue Means for Tripawds Members

Nothing, really. Because we’re on top of things.

If, however, you are a Tripawds Supporter and had activated either of the premium themes, Magazeen or Mystique, you will need to activate a different theme. If you were using either of these themes and you cannot access your blog, again, don’t panic. Point your browser to yourblogname.tripawds.com/wp-admin/themes.php and select another of the more than 135 themes we make available to Tripawds bloggers.

Be Sociable, Share!


To remove ads from your site and others, upgrade to a Tripawds Supporter blog!

 Tagged: , ,



1 response so far ↓

  • 1    jim // Aug 3, 2011 at 10:11 pm

    UPDATE: I also found at least one theme – “Blogtheme” – that uses the TimThumb script in a file named thumb.php, so searching for that may be beneficial too if you have lots of themes. Searching for “thumb” may return far too many results to sift through since that will return all your image thumbnails.

Leave a Comment

Spam Protection by WP-SpamFree