Posted September 1, 2011, 7:10 pm in WordPress Tips
Thank you to a couple users of the WP Mobile Detector who brought a security hole to my attention.
Recently a hack was found that exploited the Timthumb.php script. The WP Mobile Detector utilizes the Timthumb.php script, so it could potentially effect any blog running the WP Mobile Detector plugin.
I am happy to announce that this was fixed and an update was pushed to WordPress.org. As long as you have version 1.7 or higher you are all set.
The exploit had to do with how a version of Timthumb.php validated the domains that were authorized for the script. It performed a string comparison on an array that was incorrect.
For example, if this domain was authorized “domain.com”, then this domain would also be authorized, “mydomain.com”, since it contains the authorized domain. This is a pretty huge error in the script and has since been fixed in the most recent version.
If you use Timthumb.php with any of your projects, it is recommended that you update to the most recent version, which is version 2.8 as of writing this post.
You can find the most recent version here: http://timthumb.googlecode.com/svn/trunk/timthumb.php