Yesterday we learned of a vulnerability in a popular image resizing library called TimThumb, which is used in many WordPress themes and plugins. The vulnerability was first reported by Mark Maunder in a post on his blog, and has been confirmed by the author of TimThumb.
The vulnerability allows third parties to upload and execute arbitrary PHP code in the TimThumb cache directory. Once the PHP code has been uploaded and executed, your site can be compromised however the attacker likes.
We recommend deleting timthumb.php or thumb.php if your site will work without them. If the file exists in a theme or plugin that you’re no longer using you may want to remove the entire theme or plugin directory. After you remove the TimThumb library make sure you check that your site is still working correctly.
If you must use TimThumb please make sure to update the file with the latest version and remember to check the TimThumb site regularly for updates. You should also set
false and find the
$allowedSites array inside the file and remove the domain names to prevent remote file downloading.
Make sure this constant is set to false:
define( 'ALLOW_EXTERNAL', false );
$allowedSites = array ( 'flickr.com', 'picasa.com', 'img.youtube.com', 'upload.wikimedia.org', );
$allowedSites = array();
Theme and plugin authors should use the built-in WordPress functions such as add_image_size to resize images.
We are sending out emails to all VaultPress customers who have TimThumb installed on their site. Customers can contact the VaultPress Safekeepers directly for help from the VaultPress dashboard.