TRIPAWDS: Home to 25154 Members and 2176 Blogs.
HOME » NEWS » BLOGS » FORUMS » CHAT » YOUR PRIVACY » RANDOM BLOG

How to Fix TimThumb Theme Script Security Exploit

Don’t panic. Security Breach Averted!

I first learned about the zero day vulnerability affecting many WordPress themes today on LinkedIn. Plenty has been written about the security flaw found in the timthumb.php script used by many themes that could result in a serious security breach by allowing the upload of malicious scripts to your server. I won’t go into detail, because these fine folks already have:

See the above links for plenty of information, opinions, and fixes. I’ll just quickly outline what I did to ensure we remained safe here at Tripawds.

  1. Log in to cPanel account for domain
  2. Access File Manager
  3. Search all files for “timthumb”
  4. Note location of file(s) if found
  5. Delete timthumb.php*
  6. Repeat for any other domains

*Note: Deleting the TimThumb script may break certain themes, or at least affect how they manage and display images. I chose to just delete any themes using the script.

If you need the TimThumb script running on your site, upgrade to the latest version. This issue has already been addressed. If, like me, you find some merit in the many discussions about the safety – or lack thereof – of allowing any scripts on your server to access data from third party sites, then delete the file. Or, follow these steps to remove the vulnerability:

Line 21: Ensure this constant is false:
define ('ALLOW_EXTERNAL', FALSE); // allow external website (override security precaution - not advised!)

Line 27: Remove all domains from this array:
$allowedSites = array();

What the TimThumb Issue Means for Tripawds Members

Nothing, really. Because we’re on top of things.

If, however, you are a Tripawds Supporter and had activated either of the premium themes, Magazeen or Mystique, you will need to activate a different theme. If you were using either of these themes and you cannot access your blog, again, don’t panic. Point your browser to yourblogname.tripawds.com/wp-admin/themes.php and select another of the more than 135 themes we make available to Tripawds bloggers.

Published by

jim

Prior to the great database debacle of 2022, all forum posts from this Tripawds user account may have been originally posted by Jerry (aka: Rene) OR Admin (aka: Jim). Any questions?

One thought on “How to Fix TimThumb Theme Script Security Exploit”

  1. UPDATE: I also found at least one theme – “Blogtheme” – that uses the TimThumb script in a file named thumb.php, so searching for that may be beneficial too if you have lots of themes. Searching for “thumb” may return far too many results to sift through since that will return all your image thumbnails.

Leave a Reply

Your email address will not be published. Required fields are marked *

Behind the Scenes is brought to you by Tripawds.
HOME » NEWS » BLOGS » FORUMS » CHAT » YOUR PRIVACY » RANDOM BLOG