TimThumb script

Hi, All,

I manage several large WPMU installations and a lot of individual WP sites as well. The TimThumb vulnerability was quite the nuisance. Attempting to use the vulnerability scanner didn't work for my large WPMU installs because there was just way too much data for it to try to parse and it would timeout. Even if it had worked, I'd have had to login to almost 200 separate WP installations, install the plugin, activate, scan and then 'fix' each discovered file. What a waste of time. I have shell access...so there must be a better way, right? :slight_smile:

So, I wrote a bash script for it instead. I used this to update all the TimThumb scripts on 4 servers in about 20 minutes. Whew. What a relief.

Make sure the destination path works for you (/var/www/vhosts/) or change it so it does.

All the normal clauses apply: Use at your own risk. No guarantees. Back it up first. Keep out of direct sunlight. Don't feed after midnight. Half an hour before swimming. Yada yada.

#!/bin/bash
## ====================================
#  This checks all php files in /var/www/vhosts/
#  for TImThumb and then overwrites them with
#  the current version
## ====================================
echo
date
export dnow=<code>date +%Y%m%dT%H%M%S</code>

## ====================================
#  Get the most current version of TimThumb.php
## ====================================
wget http://timthumb.googlecode.com/svn/trunk/timthumb.php

## ====================================
#  Generate a list of files, then overwrite them
## ====================================
find /var/www/vhosts/ -name "*.php" |xargs -i grep 'http://code.google.com/p/timthumb/' {} -l |xargs -i grep -i "version',\s*'1" {} -l > ~/timthumb-$dnow.txt

for eaTim in <code>cat ~/timthumb-$dnow.txt</code>
do
## ====================================

  ## ==================================
  # Overwrite with current version
  echo Overwriting $eaTim
  cp timthumb.php $eaTim
  ## ==================================

## ====================================
done
## ====================================

## ====================================
#  all done!
## ====================================

The beauty of this solution is that it's global. It'll help secure even those sites that aren't using WP, and you don't have to wait for individual updates to anything. Just do it.

If the stuff above doesn't look right, you can get it here, too:
http://12pd.com/s/fix-timthumb.zip

Have fun!

  • Philip John
    • DEV MAN’s Apprentice

    Hiya!

    Wow, that's awesome - thanks so much for this! Points your way...

    Just to clarify one thing as I've not used batch scripts before. All that code goes in a file yes (the one in the zip)? And then you call that batch file from the command line?

    Worth noting that the file needs to be executable, right?

    Phil

  • Jonathan
    • The Incredible Code Injector

    Wow, I like this a lot...

    Echoing what Phil said...

    Would I...
    At the terminal, log in...
    nano script
    Paste bash script in script
    Save and close the file by typing CTRL X, then y for yes, then ENTER.
    Then create permissions to run the script like this:-
    chmod u+x script
    And put the pedal to the metal (run script):-
    ./script
    And then delete the sucker (don't like to leave scripts hanging about):-
    sudo rm /root/script

    Would that be the correct recipe?

  • Shawn
    • The Crimson Coder

    Thanks, Phil. It's a bash script (for linux) not a batch script (windows).

    Save it as a text file to your server as "fix-timthumb.sh" in your home directory (via SSH) and ensure that your account has root access (the ability to modify all files on the server is important - or it won't work, obviously). Set the executable bit for your account and forbid other users access to it. You can do this with:
    chmod 700 fix-timthumb.sh

    Then run:
    ~/fix-timthumb.sh

    And just wait for it to finish. It'll create a text file with a list of all the files that it discovered and modified as "timthumb-(timestamp).txt" so you can review changes if you want.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.