By Jeffro on November 1, 2011
Sucuri Security has a great post that begins to review the aftermath of the massive exploitation of the TimThumb image re sizer script. According to their calculations, about a million pages have been compromised by the script but when filtering down their results for the past thirty days, there were over 200,000 results. The exploitation of the script is still an ongoing problem and will most likely continue to be for the foreseeable future. If you think an old version of the TimThumb script is on your server, use the TimThumb vulnerability scanner plugin.
The TimThumb exploitation event is interesting in that so many websites became compromised despite the issue not being relevant to the core of WordPress itself. I wonder if there are any other popular scripts or dependencies that plugins or themes use that could end up in the same situation? ∞
Posted in News | Tagged exploit, images, security, timthumb |
By Jeffro on September 14, 2011
WPBeginner has an excellent tutorial that describes how to use the built in functions of WordPress to generate additional image sizes for use in themes. This is possibly a better alternative than using TimThumb. ∞
Posted in WordPress | Tagged images, timthumb, tutorial |
By Jeffro on September 5, 2011
Not sure if any of the plugins or themes you have installed within your WP-Content directory contain the outdated version of TimThumb? Good news, there is a simple plugin that not only scans your content directory for the outdated version of the script, but also provides a link to quickly upgrade to the newer version. After installation, you’ll find the options page within the Tools menu. After running the scan on WPTavern for the first time, these were my results:
This plugin is especially useful to those who have more than a few themes or an abundant number of plugins installed as it checks the entire contents of the WP-Content directory. According to a post within the plugins support forum, it has not gone through specific testing with WordPress Multi-Site but the author sees no reason why it wouldn’t work.
Posted in Plugins | Tagged plugin, security, timthumb |
By Jeffro on February 26, 2010
Previous to WordPress having post thumbnails built in, there was a script called TimThumb. I know quite a few themes that integrated TimThumb in order to automatically generate post thumbnails instead of relying on the old method of using a custom field. Ben Gillbanks has chronicled the short history of TimThumb.
Development was started by Tim (hence the name) one of the programmers at Category4 where Darren worked. Shortly after the release of Mimbo Pro, with Tims blessing, we decided to open source the code releasing TimThumb on Google code, and that’s when everyone else started using it. Nowadays 95% of the premium themes teams are offering TimThumb support – and it’s a great feeling, knowing so many are making use of code I worked on.
The article was published in 2009 but I was fooled because I saw it as a recent submission on WPVote.com. Still worthy of a good read though.
Posted in News | Tagged history, images, scripts, timthumb |
Sucuri Security has a great post that begins to review the aftermath of the massive exploitation of the TimThumb image re sizer script. According to their calculations, about a million pages have been compromised by the script but when filtering down their results for the past thirty days, there were over 200,000 results. The exploitation of the script is still an ongoing problem and will most likely continue to be for the foreseeable future. If you think an old version of the TimThumb script is on your server, use the TimThumb vulnerability scanner plugin. 
