14 DAY TRIAL // An image manipulation script used in many popular WordPress themes has been updated to address a critical security vulnerability.
The flaw was reported last week by Feedjit CEO Mark Maunder after his personal blog was hacked and is currently being exploited in the wild.
The affected script is called Timthumb and is mainly used for image resize operations. It consists of a single PHP file and can fetch images from remote servers.
The weak validation of the whitelisted third-party domain names allowed attackers to insert PHP shell scripts into the cache directory and execute them.
Since discovering the flaw Maunder has been working closely with WordPress founder Matt Mullenweg and Timthumb lead developer Ben Gillbanks to address the issue.
These efforts resulted in TimThumb 2.0, a new version of the script that incorporates several safeguards and enhancements.
"The cache directory is now secure and is still public for flexibility across platforms. TimThumb creates index files in your cache to prevent directory listings.
"Filenames are more randomized using data that a hacker doesn’t have access to, making it very hard to guess filenames in cache and access them," Maunder explains.
Furthermore, all cached files now have a .txt extension and, for extra protection, they also have a piece of PHP code at the beginning which exits the process if they are executed.
The image manipulation capabilities have also been enhanced. The script can now take website screenshots and all filters can be applied to them.
"I’m going to be working with Ben going forward to continue to have TimThumb be the easiest to use, fastest, most popular and most secure thumbnail script on the Web," Maunder announces.
Webmasters who use this script in their themes are urged to download the latest timthumb.php version from the project's repository and replace the one currently in their installations.