Comments on: TimThumb Security Vulnerability – Common in WordPress Themes http://www.themelab.com/timthumb-security-exploit/ We build High Quality, Good Looking Premium WordPress Themes that are Easy to Use and ready for just about anything. Tue, 28 Jun 2016 19:01:53 +0000 hourly 1 https://wordpress.org/?v=4.6.1 By: Leland http://www.themelab.com/timthumb-security-exploit/#comment-17642 Sun, 07 Aug 2011 00:18:54 +0000 http://www.themelab.com/?p=2760#comment-17642 I think that’s one of the reasons why Mark Maunder described TimThumb as “inherently insecure.”

]]>
By: Marie-Aude http://www.themelab.com/timthumb-security-exploit/#comment-17637 Fri, 05 Aug 2011 20:38:55 +0000 http://www.themelab.com/?p=2760#comment-17637 One of the other issues with TimThumb is that it requires a chmod 777 to properly function. I never felt confident with that.

]]>
By: Leland http://www.themelab.com/timthumb-security-exploit/#comment-17620 Wed, 03 Aug 2011 22:05:49 +0000 http://www.themelab.com/?p=2760#comment-17620 Yep, hopefully they’ll get the message and update their scripts.

]]>
By: Leland http://www.themelab.com/timthumb-security-exploit/#comment-17619 Wed, 03 Aug 2011 22:05:19 +0000 http://www.themelab.com/?p=2760#comment-17619 Hey Darren, thanks for stopping by and sharing your thoughts about this.

Definitely interesting to hear from one of the original creators of the timthumb script.

]]>
By: Leland http://www.themelab.com/timthumb-security-exploit/#comment-17617 Wed, 03 Aug 2011 20:41:21 +0000 http://www.themelab.com/?p=2760#comment-17617 Yep, as far as a quick fix you can just include the latest timthumb script without the allowed sites.

If you have more time, maybe utilize the add_image_size so it takes advantage of WordPress’ APIs.

]]>
By: Leland http://www.themelab.com/timthumb-security-exploit/#comment-17616 Wed, 03 Aug 2011 20:40:11 +0000 http://www.themelab.com/?p=2760#comment-17616 Hey Andreas, definitely a good point about having a built-in update capability.

You could say the same thing about the framework->child theme model so you can safely upgrade the “core” theme without sacrificing any of your modifications (done in the child theme).

]]>
By: Leland http://www.themelab.com/timthumb-security-exploit/#comment-17615 Wed, 03 Aug 2011 20:38:43 +0000 http://www.themelab.com/?p=2760#comment-17615 They weren’t stripped, just didn’t have any blockquote styles for comments until now. 🙂

Also couldn’t agree more with your comment. It really bothered me how someone who has contributed so much was just getting ripped to shreds because of this.

]]>
By: Leland http://www.themelab.com/timthumb-security-exploit/#comment-17614 Wed, 03 Aug 2011 20:33:35 +0000 http://www.themelab.com/?p=2760#comment-17614 Yep, I noticed they posted about no longer using the timthumb script in the latest versions of their themes. http://www.elegantthemes.com/blog/theme-changesbug-fixes/timthumb-vulnerability-security-update

]]>
By: Len http://www.themelab.com/timthumb-security-exploit/#comment-17612 Wed, 03 Aug 2011 16:38:54 +0000 http://www.themelab.com/?p=2760#comment-17612 Hmmm, I meant for the 1st paragraph in my comment above to be wrapped in blockquote tags. For some reason they were stripped out. It was supposed to indicate me quoting from your post but now looks like I am plagiarising your post. 🙂

]]>
By: Len http://www.themelab.com/timthumb-security-exploit/#comment-17611 Wed, 03 Aug 2011 16:34:17 +0000 http://www.themelab.com/?p=2760#comment-17611

I noticed that the TimThumb developer, Ben Gillbanks, was getting directly and indirectly “bashed” pretty hard in the comments of the original vulnerability post.

Yeah, and there is no call for that. Ben has given so much of himself to the WordPress community. A vulnerability was discovered and was quickly fixed.

Non-coders don’t seem to understand the complexities involved in writing code. You think you have a solid airtight snippet and then comes along some hacker with way too much time on his hands poking and prodding until he finds something.

Those of us who are active in the WordPress community know of Ben’s tireless contributions.

]]>