Websitez.com

Timthumb.php Security Flaw – Patched in WP Mobile Detector 1.7 and Above

Posted September 1, 2011, 7:10 pm in WordPress Tips

Thank you to a couple users of the WP Mobile Detector who brought a security hole to my attention.

Recently a hack was found that exploited the Timthumb.php script. The WP Mobile Detector utilizes the Timthumb.php script, so it could potentially effect any blog running the WP Mobile Detector plugin.

I am happy to announce that this was fixed and an update was pushed to WordPress.org. As long as you have version 1.7 or higher you are all set.

The exploit had to do with how a version of Timthumb.php validated the domains that were authorized for the script. It performed a string comparison on an array that was incorrect.

For example, if this domain was authorized “domain.com”, then this domain would also be authorized, “mydomain.com”, since it contains the authorized domain. This is a pretty huge error in the script and has since been fixed in the most recent version.

If you use Timthumb.php with any of your projects, it is recommended that you update to the most recent version, which is version 2.8 as of writing this post.

You can find the most recent version here: http://timthumb.googlecode.com/svn/trunk/timthumb.php

4 Responses to Timthumb.php Security Flaw – Patched in WP Mobile Detector 1.7 and Above

  1. Robert wilkins September 20, 2011

    Is there an alternative way to use thumbnails instead of to thumb. I know it’s been patched but I don’t trust it.

    Reply

    • Eric Stolz November 21, 2011

      You can remove timthumb and just specify a width, but that would mean it would still load the much larger image size. But it is a way to make it work without using timthumb.

      The other way is to automatically create new images for mobile when the post is saved, but this would take a considerable amount of work.

      Reply

  2. Brian June 7, 2012

    Hi Eric and anyone else who could help.

    I love how your plugin helps my site actually look good on mobile devices.

    I only have one fix I need to make it perfect. I need to remove the dates on my posts and pages that show up in my mobile version. They have been taken out in the desktop version of my site, but there they are on the mobile version of the site.

    I can’t have dates showing and wonder if there is a way to keep it from showing.

    Thanks in advance.

    Reply

    • Eric Stolz June 18, 2012

      Brian, did you get everything sorted out?

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

© Websitez.com, LLC 2013