Updating your cart...
Sep
1
Timthumb.php Security Flaw – Patched in WP Mobile Detector 1.7 and Above
Posted by Eric Stolz in WordPress Tips
Thank you to a couple users of the WP Mobile Detector who brought a security hole to my attention.
Recently a hack was found that exploited the Timthumb.php script. The WP Mobile Detector utilizes the Timthumb.php script, so it could potentially effect any blog running the WP Mobile Detector plugin.
I am happy to announce that this was fixed and an update was pushed to WordPress.org. As long as you have version 1.7 or higher you are all set.
The exploit had to do with how a version of Timthumb.php validated the domains that were authorized for the script. It performed a string comparison on an array that was incorrect.
For example, if this domain was authorized “domain.com”, then this domain would also be authorized, “mydomain.com”, since it contains the authorized domain. This is a pretty huge error in the script and has since been fixed in the most recent version.
If you use Timthumb.php with any of your projects, it is recommended that you update to the most recent version, which is version 2.8 as of writing this post.
You can find the most recent version here: http://timthumb.googlecode.com/svn/trunk/timthumb.php
September 20, 2011Is there an alternative way to use thumbnails instead of to thumb. I know it’s been patched but I don’t trust it.
November 21, 2011You can remove timthumb and just specify a width, but that would mean it would still load the much larger image size. But it is a way to make it work without using timthumb.
The other way is to automatically create new images for mobile when the post is saved, but this would take a considerable amount of work.