thumb.php and WooThemes (and wordpress)
I had been reading a mumbling of trouble on the wordpress groups I belong to, so knew something was up, although I wasn’t sure what. One group mentioned thumb.php, and that it was a security risk, but I thought to myself, I haven’t installed that anywhere, so I guess I am safe.
Wrong. My favorite premium theme supplier had been using it, and I got an email, recently, telling me just that:
TimThumb (or thumb.php as you know it) – the open-source script we use in all of our themes to do dynamic image resizing – recently uncovered a critical security flaw in the script. This flaw is vulnerable to a potential hacker that could gain access to your server. This affects all of our existing themes and thus everyone that are currently using our themes.
Good thing, of course, is that they noticed, and have redone their themes.
And, even more wonderful, all you have to do is update their framework, and it looks for the thumb.php, and updates it to one that is not vulnerable.
So, I don’t have to dump the theme, or update the theme, just the framework. Thanks Woo.