For those who may want to fix it themselves you need to look for the $allowedSites variable which will be an array of domain names. You need to make it an empty array, like so; $allowedSites = array();
We've searched all our plugins and themes and found the offending code in the Mystique theme which is part of Farms 133 Theme Pack and also Network theme. The latest updates to both fixes that so please update immediately.
For those who may want to fix it themselves you need to look for the $allowedSites variable which will be an array of domain names. You need to make it an empty array, like so; $allowedSites = array();
We've searched all our plugins and themes and found the offending code in the Mystique theme which is part of Farms 133 Theme Pack and also Network theme. The latest updates to both fixes that so please update immediately.
1445 pointsLike some sort of WPMU DEV GodMindblowingly helpful memberLifetime member
Lifetime Member
—
4th August 2011 (9 months ago)
#
This is very bad, and a nasty entry point for hackers. It's scary how much code is floating around for wordpress, and how many plugins have security vulnerabilities (unbeknownst to all).
Heck, I myself without knowing any better have left a few things open that should have been closed.
Well, at least the community in general are quick to shout out, and fix any/all security issues.
I'm just sorry for those few folks that felt the effects of this vulnerability before the patch was issued.
@Aphrodite
Your Question: but what are the consequences of that ?
Answer: The security hole gives intruders access to the server hosting the script.
1445 pointsLike some sort of WPMU DEV GodMindblowingly helpful memberLifetime member
Lifetime Member
—
4th August 2011 (9 months ago)
#
@Phil,
Yep, I was one of them...
Ouch! Sorry to hear that man. I've been there, and hated it :(
And Google does take its sweet time - Hope your site will be set free from the 'blood bin' soon.
Have just been right through my server to check and cleanup where necessary around 50 timthump.php and thumb.php file. Found the following themes and plugins to contain the vulnerability. (Sorry, not sure of all the companies, just the theme name):
If it helps anyone else, I used a find . -name *thumb.php command in an SSH session to identify all occurances of the vulnerable files on the server and then used WinSCP to locate and edit each file.
9603 pointsLike some sort of WPMU DEV GodMindblowingly helpful memberLifetime member
Sales & Support Pro
—
15th August 2011 (9 months ago)
#
@Mustafa Are you having trouble getting images stored there resized?
I believe the vulnerability has to do with domains in the allowed sites array being able to be spoofed and so adding any to that would open up the vulnerability again.
9603 pointsLike some sort of WPMU DEV GodMindblowingly helpful memberLifetime member
Sales & Support Pro
—
15th August 2011 (9 months ago)
#
Ah I see. Honestly, I'm not sure what to suggest. I'd recommend taking a look at the new version of TimThumb that merges WordThumb and see if that sorts the issue for you.
Responses (15)
WPMU DEV Fanatic — 3rd August 2011 (9 months ago) #
We'll have to either set this one as a sticky or keep on bumping it because this one's a big issue!
Cheers,
David
Lifetime member! — 3rd August 2011 (9 months ago) #
how bad is this ? Read many things about it but what are the consequences of that ?
(Ohhh my god so big work to do :( )
Lifetime Member — 4th August 2011 (9 months ago) #
This is very bad, and a nasty entry point for hackers. It's scary how much code is floating around for wordpress, and how many plugins have security vulnerabilities (unbeknownst to all).
Heck, I myself without knowing any better have left a few things open that should have been closed.
Well, at least the community in general are quick to shout out, and fix any/all security issues.
I'm just sorry for those few folks that felt the effects of this vulnerability before the patch was issued.
@Aphrodite
Answer: The security hole gives intruders access to the server hosting the script.
Sales & Support Pro — 4th August 2011 (9 months ago) #
Oops forgot the sticky. Now stuck.
Yep, I was one of them. Google is still telling people my site might be dodgy a month after I removed the injected code :(
Phil
Lifetime Member — 4th August 2011 (9 months ago) #
@Phil,
Ouch! Sorry to hear that man. I've been there, and hated it :(
And Google does take its sweet time - Hope your site will be set free from the 'blood bin' soon.
Lifetime Member — 5th August 2011 (9 months ago) #
For those interested:
Mark Maunder, the developer who discovered the TimThumb vulnerability has done a full rewrite of TimThumb and released it as WordThumb
News Source: http://wpcandy.com/reports/mark-maunder-forks-timthumb-to-wordthumb
Check it out on GoogleCode: http://code.google.com/p/wordthumb/
Check it out on Github https://github.com/humanmade/wpthumb
Lifetime Member — 12th August 2011 (9 months ago) #
sorry for my late reply.
WPMUDEV's release any updated version or we update manually?Also I understand that,only
Mystique theme and Network themes affected.
Am I right?
Thanks.
Member — 13th August 2011 (9 months ago) #
Have just been right through my server to check and cleanup where necessary around 50 timthump.php and thumb.php file. Found the following themes and plugins to contain the vulnerability. (Sorry, not sure of all the companies, just the theme name):
Themes:
u-design
OptimizePress
TheStyle
duotone
therapy
arras-theme
DeepFocus
TheProfessional
StudioBlue
InStyle
olive
Woothemes Listings
minibuzz
Plugins:
styles-with-shortcodes
slider-pro
wp-cart-for-digital-products
If it helps anyone else, I used a
find . -name *thumb.phpcommand in an SSH session to identify all occurances of the vulnerable files on the server and then used WinSCP to locate and edit each file.Lifetime member! — 13th August 2011 (9 months ago) #
Update: Mark Maunder has gotten together with Ben Gillbanks, and they have combined TimThumb and WordThumb to create TimThumb 2.
Lifetime Member — 15th August 2011 (9 months ago) #
Hi everyone,
I stored some image storage.sitename.com ...
Can I add "storage.sitename.com" in the allowed sites array ?
Sales & Support Pro — 15th August 2011 (9 months ago) #
@Mustafa Are you having trouble getting images stored there resized?
I believe the vulnerability has to do with domains in the allowed sites array being able to be spoofed and so adding any to that would open up the vulnerability again.
Phil
Lifetime Member — 15th August 2011 (9 months ago) #
yes,Because they are stored in Amazon S3.(upload and forget)
Sales & Support Pro — 15th August 2011 (9 months ago) #
Ah I see. Honestly, I'm not sure what to suggest. I'd recommend taking a look at the new version of TimThumb that merges WordThumb and see if that sorts the issue for you.
Phil
Support Kangaroo — 26th August 2011 (9 months ago) #
Greetings :-)
I found the ssh command offered by stepben above did not work ..... but I used the following command from SSH Terminal and found them:
find / -iname *thumb.php -print
Joe :-)
Sales & Support Pro — 5th September 2011 (8 months ago) #
Hi all,
Just found out about this new plugin which scans your wp-content directory for existence of the vulnerability:
http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/
Phil
Become a member