Timthumb security bug

Many WordPress themes and other systems use the script timthumb to resize and crop images. This happens in the background and usually you do not see a reference to timthumb in the web interface. You may not have heard of it but we recommend to verify if your system is using timthumb or not. Recently a security bug has been discovered which can give an intruder unwanted access to all your files.

The solution

Unfortunately it costs a bit of work to verify if you use the script or not. The file name may be different depending on the developers who used it. Therefore we recommend to download all files and search in each file for the term “TimThumb by”. Files that contain this term probably are files that are the timthumb scripts or script. It could be that there only is one file but if you are using plugins it is possible that you will find multiple files. ” (without the quotes) and open them. Then look for the following:

if(WEBSHOT_ENABLED){

Replace it with this:

if(WEBSHOT_ENABLED && 1 != 1){

This solution will disable the webshot feature which has the security bug even when your script says that it should be on. By default the webshot feature is off but this makes sure that the feature really is disabled. Note that this may break some parts of your website and therefore I recommend to watch the developers website to see if they have a fix for this bug.

Leave a Reply

Your email address will not be published. Required fields are marked *