Comments on: TimThumb Security Vulnerability – Common in WordPress Themes

By: Leland

Leland — Sun, 07 Aug 2011 00:18:54 +0000

I think that’s one of the reasons why Mark Maunder described TimThumb as “inherently insecure.”

By: Marie-Aude

Marie-Aude — Fri, 05 Aug 2011 20:38:55 +0000

One of the other issues with TimThumb is that it requires a chmod 777 to properly function. I never felt confident with that.

By: Leland

Leland — Wed, 03 Aug 2011 22:05:49 +0000

Yep, hopefully they’ll get the message and update their scripts.

By: Leland

Leland — Wed, 03 Aug 2011 22:05:19 +0000

Hey Darren, thanks for stopping by and sharing your thoughts about this.

Definitely interesting to hear from one of the original creators of the timthumb script.

By: Leland

Leland — Wed, 03 Aug 2011 20:41:21 +0000

Yep, as far as a quick fix you can just include the latest timthumb script without the allowed sites.

If you have more time, maybe utilize the add_image_size so it takes advantage of WordPress’ APIs.

By: Leland

Leland — Wed, 03 Aug 2011 20:40:11 +0000

Hey Andreas, definitely a good point about having a built-in update capability.

You could say the same thing about the framework->child theme model so you can safely upgrade the “core” theme without sacrificing any of your modifications (done in the child theme).

By: Leland

Leland — Wed, 03 Aug 2011 20:38:43 +0000

They weren’t stripped, just didn’t have any blockquote styles for comments until now.

Also couldn’t agree more with your comment. It really bothered me how someone who has contributed so much was just getting ripped to shreds because of this.

By: Leland

Leland — Wed, 03 Aug 2011 20:33:35 +0000

Yep, I noticed they posted about no longer using the timthumb script in the latest versions of their themes. http://www.elegantthemes.com/blog/theme-changesbug-fixes/timthumb-vulnerability-security-update

By: Len

Len — Wed, 03 Aug 2011 16:38:54 +0000

Hmmm, I meant for the 1st paragraph in my comment above to be wrapped in blockquote tags. For some reason they were stripped out. It was supposed to indicate me quoting from your post but now looks like I am plagiarising your post.

By: Len

Len — Wed, 03 Aug 2011 16:34:17 +0000

I noticed that the TimThumb developer, Ben Gillbanks, was getting directly and indirectly “bashed” pretty hard in the comments of the original vulnerability post.

Yeah, and there is no call for that. Ben has given so much of himself to the WordPress community. A vulnerability was discovered and was quickly fixed.

Non-coders don’t seem to understand the complexities involved in writing code. You think you have a solid airtight snippet and then comes along some hacker with way too much time on his hands poking and prodding until he finds something.

Those of us who are active in the WordPress community know of Ben’s tireless contributions.