It’s been reported today that there is a new TimThumb exploit found. Unfortunately nobody told me about this before the exploit was announced – in fact I found out about the bug through wptavern.com so I haven’t been able to look into a fix for it. I’ve now contacted Mark who wrote the webshots code (which is where the exploit was found) and asked him to sort out a fix so hopefully Google Code will be updated soon.
Update: Mark has fixed the issue and so TimThumb should be secure once more, just update from Google Code.
First things first – most people using TimThumb don’t need to worry. The code is disabled by default, and even if it’s enabled you need to have two server side extensions installed to be able to execute it. However – to be sure you’re safe – you should make sure you have the following line set.
define (‘WEBSHOT_ENABLED’, false);
This will disable the dodgy code and make sure you are safe.
Don’t use TimThumb
I haven’t written about TimThumb in a while. This is because I no longer maintain it (apart from times like now when these security things appear). Plus – there’s just better ways now.
WordPress has had support for post thumbnails for ages now – and I use these all the time in my themes. I haven’t used TimThumb in a WordPress theme since before the previous TimThumb security exploit in 2011.
If you want even more options then you can now use the Photon extension – which is part of the Jetpack plugin. It’s a cdn/ image resizer, as used by wordpress.com – and it’s awesome. It integrates seamlessly with the WordPress post thumbnail code, and it takes the image sizing load off of your servers.
I’ll be writing about Photon and how and why you should use it sometime in the next couple of weeks.
For now – just make sure you have the latest version of TimThumb – and that the code above is set.