Welcome! To use this support forum, please Login or Join Today!

   

Timthumb security update

{name}
RankRank

Total Posts: 45

Joined 2011-09-28

PM

 

Timthumb 2.8.13 had a vulnerability.
v. 2.8.14 has since been released.
https://code.google.com/p/timthumb/source/list

It’s small update. I applied the diff on a test site, and it seems to work fine with Synapse.

{name}
RankRankRankRank

Total Posts: 3667

Joined 2011-04-27

PM

 

Thanks. I’ve pushed out updates to all the themes that still use it.

Luckily, the flaw was in a method (webshots) that is disabled by default and very few people make use of. I’m working on a solution that will allow us to say goodbye to timthumb altogether smile

{name}
RankRank

Total Posts: 33

Joined 2012-09-21

PM

 

Hi,

Are these updates being automatically pushed to our site, without having to do a theme update? We have been setting-up our site security in the last 2 weeks and in the logs have seen some activity about timthumb. We were not making any site updates, etc. We are currently running Synapse Child 1.7.

We just want to make sure that we are not having any sort of security issue and if we see this again in the future we know what is happening.

Thanks.

{name}
RankRankRankRank

Total Posts: 3667

Joined 2011-04-27

PM

 

@ExtReach2 - Yes, if you’ve got your theme properly setup using a child theme then updates come through just like all other WP updates.

{name}
RankRank

Total Posts: 33

Joined 2012-09-21

PM

 

Does that mean any and all updates require that we physically push the “Update Plugin” button? That nothing is ever automatically pushed to the site without our express clicking of the update button - correct?

The reason I ask is that we were seeing some “edits to file” in our security logs around timthumb and we were not editing the site or making any plugin, etc. updates.

{name}
RankRankRankRank

Total Posts: 3667

Joined 2011-04-27

PM

 

The only files that should be touched by timthumb are in the theme’s /cache directory.

As for updates, yes you have to go to the WP updates and perform the update action.

The only other option I know of would is this plugin.
http://pento.net/projects/automatic-updater-for-wordpress/