WebFaction
Community site: login faq

So, I've been hearing about this scary vulnerability in timthumb.php. How do I upgrade my timthumb.php script to the latest secure version?

asked 21 Aug '11, 12:54

seanf
12.2k31836
accept rate: 37%

edited 21 Aug '11, 13:10


Awesome question, Sean! :D

First, you need to find your existing timthumb.php script. You can do that with the find command:

find ~ -name timthumb.php

The result of the command will look something like this:

/home/you/webapps/wp/wp-content/themes/sometheme/timthumb.php
/home/you/webapps/otherwp/wp-content/themes/othertheme/timthumb.php

You can then replace each one with the following commands:

wget -O /home/you/webapps/wp/wp-content/themes/sometheme/timthumb.php http://timthumb.googlecode.com/svn/trunk/timthumb.php
wget -O /home/you/webapps/otherwp/wp-content/themes/othertheme/timthumb.php http://timthumb.googlecode.com/svn/trunk/timthumb.php

If you're feeling brave, you can replace them all at once with a single command (you might want to back up your existing scripts first):

find ~ -name timthumb.php -exec wget -O {} http://timthumb.googlecode.com/svn/trunk/timthumb.php \;

Sometimes the script is named something else, like "thumb.php" - in that case, just modify the above commands to match whatever filename you need.

You'll also want to look in the thumnbnail cache directory, for example /home/you/webapps/wp/wp-content/themes/sometheme/cache, and delete any PHP files you find in there (since those are most likely malicious script that was uploaded via the exploit).

If your images aren't appearing after upgrading the script, then try setting the PHP DOCUMENT_ROOT as described here: Configuring DOCUMENT_ROOT. This problem usually happens for sites that serve multiple applications. If you're only serving a single app from your site, then you're probably not affected by it.

permanent link
This answer is marked "community wiki".

answered 21 Aug '11, 13:08

seanf
12.2k31836
accept rate: 37%

edited 23 Aug '11, 11:21

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×262
×242
×69
×9
×2

question asked: 21 Aug '11, 12:54

question was seen: 26,989 times

last updated: 23 Aug '11, 11:21

WEBFACTION
REACH US
SUPPORT
AFFILIATE PROGRAM
LEGAL
© COPYRIGHT 2003-2016 SWARMA LIMITED - WEBFACTION IS A SERVICE OF SWARMA LIMITED
REGISTERED IN ENGLAND AND WALES 5729350 - VAT REGISTRATION NUMBER 877397162
5TH FLOOR, THE OLD VINYL FACTORY, HAYES, UB3 1HA, UNITED KINGDOM