About two weeks ago a vulnerability in a PHP plugin that is quite popular in performing image resizing tasks, and that I’d incorporated into my WEBphysiology Portfolio Plugin, was uncovered. I found out based upon an email that came out of my local WordPress Meetup group. The issue had to do with the ability of a hacker to upload a PHP file to the caching (temp) directory and then execute that piece of code. The vulnerability was caught by Mark Maunder who had been hacked. Word quickly spread and Mark put in a valiant effort to totally re-write and secure the code. He then rolled his changes, named WordThumb, into the original TimThumb code, renamed TimThumb 2.0, at the request of Matt Mullenweg.
Since finding out about this issue I have spent a great deal of time to update my plugin to utilize this code, clean up some option settings that integrated with the code as well as some other back-end plugin code that integrated further. The result of this, along with other changes I was able to sneak in, was released in WEBphysiology Portfolio version 1.3.1. You can download this from WordPress or off of my WEBphysiology Portfolio Plugin page.
Further to this issue and how it may impact you, one article (link removed due to 404) tries to list the affected plugins and themes but it is definitely incomplete as neither my WEBphysiology Portfolio plugin was noted, nor the WooThemes authored themes I have. In an email from WooThemes, it sounds like all of their themes include TimThumb (thumb.php). They have since updated to the latest version and shifted the code to live within their framework to make it easier to keep updated.
You can read more about how to find out if you’ve been hacked in Mark Maunder’s posting, and several others he’s since released. If you need to update your theme or plugin to utilize the latest code, you can find the TimThumb.php 2 source code here: TimThumb Code Archive. The issues list can be found here: http://code.google.com/p/timthumb/issues/list.
