timthumb and versions

4 posts from 2 voices

• Started 1 year ago by dsanders212
• Latest reply from Dude
• This topic is not resolved

Tags:

• Security
• timthumb
• update

1. 

   dsanders212
   Member

   Two things really.
   1. I did not know this theme had updated and timthumb had been removed, this is because the sticky'd post at the top of this forum has not been updated to reflect such; it wasn't until I was leisurely reading the forum that I saw it was mentioned in passing. I had to check themeforest.net, and re-download the package to check the version.rtf to see it had been updated. After updating and reading that timthumb was removed due to a security flaw I was a little more peeved as my site has recently been defaced (read: hacked), and I can't help but wonder if this was the hole used to get in as EVERYTHING else was locked down and kept up to date. In future versions of the version document and the sticky'd post would it be possible to also include the date as well as the version number? Thank you.

   2. According to the verstion.rtf I'm referring to, it says timthumb was removed, however it is still referenced in lots_of_small_helpers.php and actually called in kriesi_post_thumb.php. Is there any reason the code was left in place? It would seem that is the meat of the function call and the call is used in no less than 14 other files multiple times each. I am getting serious about security after recent events, and am hoping my questions can be answered. Thanks again.

   Posted 1 year ago #
2. 

   Dude
   Dude

   Hey,
   Kriesi used timthumb in older themes (like Display) but he switched to the native WP thumbnail function (themes since Newscast, CleanCut, Expose, etc.). Some files may contain references to timthumb but hackers can't exploit them because they need the timthumb.php script to attack the server. However the latest version doesn't contain tumthumb.php anymore and hackers can't access it anymore. The latest version of timthumb can be considered as secure again.

   Posted 1 year ago #
3. 

   dsanders212
   Member

   I understand that the script can't be exploited if it's not there. However the latest version downloaded from themeforest still contains references to timthumb in some pretty important functions. I'm more concerned with the functionality of the theme as the functions called from timthumb no longer exist.

   Also I see my advice/request for keeping the sticky'd post at the top of the forum up to date with versions and dates was not heeded. I would like to again point out my request, found in my first post, to keep the sticky'd thread up to date and match the themeforest version/descriptions.

   As always thanks for your time.

   Posted 1 year ago #
4. 

   Dude
   Dude

   The timthumb reference code isn't called/interpreted anymore - otherwise the php compiler would output fatal errors because required files would be missing.

   I'll look into a "latest version thread". Someone else asked for it too. However it takes some time to gather all the data and at the moment I don't have enough time for this task. When I find some free time I'll create the list.

   Posted 1 year ago #

RSS feed for this topic

Reply

You must log in to post.