9 posts
  • Has been part of the Envato Community for over 3 years
  • Has referred 1+ members
  • Has collected 10+ items on Envato Market
Aphro says

Hi to all great themers here.

Once again a WP site attacked AND destroyed thanks to Thimthumb, even last version and well setup. One of my network has been hacked using the last version of thimthumb.

WP Include his propoer thumbs generator please use it and definitly forget thimthumb, even update all your themes if using it and suppress it spimply.

Elegant Themes done it for all their themes, this is urgent and very unsecure to continue using that shit.

Thanks to all of you !!!!

1959 posts Don't Worry, Be Happy
  • Sells items exclusively on Envato Market
  • Elite Author: Sold more than $75,000 on Envato Market
  • Made it to the Authors' Hall of Fame
  • Has referred 200+ members
+8 more
FinalDestiny says

First learn to spell it correctly. Just because your website got hacked it doesn’t mean it’s because of timthumb, you sound like an amateur just accusing here and there, everyone.

9 posts
  • Has been part of the Envato Community for over 3 years
  • Has referred 1+ members
  • Has collected 10+ items on Envato Market
Aphro says

I am not an “amateur” but a sysadmin of several multisite networks AND had the proof that direct requests on timbthumb was the cause of injections on files.

So before telling someone is an “amateur” begin to code your themes correctly and use WP guidlines correctly.

I accuse no one i just request themers not to use timthumb and a PRO coders should just NOT use it. I accuse Timthumb to be a very huge security issue which is worldwide known.

So if YOU still use it in your theme, YOU are the amateur, dear.

and sorry for the “h”, keyboard error from non english speaking user :)

3 posts
  • Has collected 10+ items on Envato Market
  • Has been part of the Envato Community for over 4 years
Lumiere_de_Lune says

Hello, I’m an admin of WordPress french users association, and I’m definitively no amateur. I worked with Aphrodite on his problem and he is perfectly right, the source of the malware was timthumb

I personnally never used any theme with Timthumb, even before the security leak was revealed. I don’t understand something that “needs” a 777… basic security.

If you theme uses Timthumb, can you explain the advantages of the script and why is it so needed when you have a proper thumb system with Wordpress ?

501 posts
  • Has referred 1000+ members
  • Has sold $250,000+ on Envato Market
  • Has collected 10+ items on Envato Market
  • Elite Author: Sold more than $75,000 on Envato Market
+8 more
pixelentity says

Would you mind sharing some technical details about the exploit ? being a sysadmin myself, i’m very interested in the matter.

BF

1959 posts Don't Worry, Be Happy
  • Sells items exclusively on Envato Market
  • Elite Author: Sold more than $75,000 on Envato Market
  • Made it to the Authors' Hall of Fame
  • Has referred 200+ members
+8 more
FinalDestiny says

Then why don’t you report the issues to the timthumb developers so they can fix it in the next version? And don’t forget that still millions of websites are using timthumb, if what you say is true, then most of them will/should already be hacked. But they’re not.

Coming here and crying instead of fixing the issue and reporting it to the developer is not a sign of professionalism.

And it’s needed due to multiple reasons including WP not being able to resize images located in a folder other than the wp one, wp can’t resize external images.

9 posts
  • Has been part of the Envato Community for over 3 years
  • Has referred 1+ members
  • Has collected 10+ items on Envato Market
Aphro says

Yep the issue has been solved by suppressing ALL themes using timthumb (more than 50, up to date, free wp.org themes), and restoring all the server account, purged of all themes before restoring. And the server has bee stable immediatly.

Specialists are now analysing the logs to see what happened exactly. But i wont share anything with them. There is absolutely no need to duplicate a core, secure function of WP by an external application. No need to use an external folder. Put images where they must be, as in 95% of themes, as Elegant thees has done.

And by the way, many sites ARE hacked. We have that all days on forums. Because of timthumb ? Possibly. What is sure is that I will never user anymore theme with timthumb and will write a review about that.

1959 posts Don't Worry, Be Happy
  • Sells items exclusively on Envato Market
  • Elite Author: Sold more than $75,000 on Envato Market
  • Made it to the Authors' Hall of Fame
  • Has referred 200+ members
+8 more
FinalDestiny says

You may be right, but still I think the best way to handle this kind of situations is to help the developers improve it and report any possible logs and vulnerabilities to them. timthumb has its purpose, “put images where they must be” isn’t a valid reason for not using it, many users have separate folders with their images or many multimedia themes use vimeo / youtube for videos, we need thumbnails for them, WP isn’t capable of getting those thumbs manually and the easiest way is to use a timthumb-like solution.

I’d suggest checking the timthumb configuration and permissions and make sure you were using the latest version because from my research I don’t see any major websites hacked in the past weeks because of any new vulnerability discovered.

3 posts
  • Has collected 10+ items on Envato Market
  • Has been part of the Envato Community for over 4 years
Lumiere_de_Lune says
WP isn’t capable of getting those thumbs manually
Again, can you explain me what Timthumb does that the standard API does not ?
1959 posts Don't Worry, Be Happy
  • Sells items exclusively on Envato Market
  • Elite Author: Sold more than $75,000 on Envato Market
  • Made it to the Authors' Hall of Fame
  • Has referred 200+ members
+8 more
FinalDestiny says

It is capable of getting and resizing images from external sources and folders outside the wp installation / uploads folder.

Helpful Information

  • Please read our community guidelines. Self promotion and discussion of piracy is not allowed.
  • Open a support ticket if you would like specific help with your account, deposits or purchases.
  • Item Support by authors is optional and may vary. Please see the Support tab on each item page.

Most of all, enjoy your time here. Thank you for being a valued Envato community member.

Post Reply

Format your entry with some basic HTML. Read the Full Details, or here is a refresher:

<strong></strong> to make things bold
<em></em> to emphasize
<ul><li> or <ol><li> to make lists
<h3> or <h4> to make headings
<pre></pre> for code blocks
<code></code> for a few words of code
<a></a> for links
<img> to paste in an image (it'll need to be hosted somewhere else though)
<blockquote></blockquote> to quote somebody

:grin: :shocked: :cry: Complete List of Smiley Codes

by
by
by
by
by
by