TimThumb script

Hi, All,

I manage several large WPMU installations and a lot of individual WP sites as well. The TimThumb vulnerability was quite the nuisance. Attempting to use the vulnerability scanner didn't work for my large WPMU installs because there was just way too much data for it to try to parse and it would timeout. Even if it had worked, I'd have had to login to almost 200 separate WP installations, install the plugin, activate, scan and then 'fix' each discovered file. What a waste of time. I have shell access...so there must be a better way, right? :slight_smile:

So, I wrote a bash script for it instead. I used this to update all the TimThumb scripts on 4 servers in about 20 minutes. Whew. What a relief.

Make sure the destination path works for you (/var/www/vhosts/) or change it so it does.

All the normal clauses apply: Use at your own risk. No guarantees. Back it up first. Keep out of direct sunlight. Don't feed after midnight. Half an hour before swimming. Yada yada.

#!/bin/bash
## ====================================
#  This checks all php files in /var/www/vhosts/
#  for TImThumb and then overwrites them with
#  the current version
## ====================================
echo
date
export dnow=<code>date +%Y%m%dT%H%M%S</code>

## ====================================
#  Get the most current version of TimThumb.php
## ====================================
wget http://timthumb.googlecode.com/svn/trunk/timthumb.php

## ====================================
#  Generate a list of files, then overwrite them
## ====================================
find /var/www/vhosts/ -name "*.php" |xargs -i grep 'http://code.google.com/p/timthumb/' {} -l |xargs -i grep -i "version',\s*'1" {} -l > ~/timthumb-$dnow.txt

for eaTim in <code>cat ~/timthumb-$dnow.txt</code>
do
## ====================================

  ## ==================================
  # Overwrite with current version
  echo Overwriting $eaTim
  cp timthumb.php $eaTim
  ## ==================================

## ====================================
done
## ====================================

## ====================================
#  all done!
## ====================================

The beauty of this solution is that it's global. It'll help secure even those sites that aren't using WP, and you don't have to wait for individual updates to anything. Just do it.

If the stuff above doesn't look right, you can get it here, too:
http://12pd.com/s/fix-timthumb.zip

Have fun!