Timthumb Vulnerability on Habitat « Support Forum | Kriesi.at

Support Forum » Habitat

Timthumb Vulnerability on Habitat

14 posts from 6 voices

Started 1 year ago by martybuckenmeyer
Latest reply from Dude
This topic is not a support question

Tags:

martybuckenmeyer
Member

Just received a message from my web host about timthumb.php vulnerability. Is there something that Habitat users need to do to patch or update our sites? I am a definite newbie when it comes to messing with the base code, btw.

Posted 1 year ago #
Chris Beard

Hi,
are you running the latest version of the theme? Kriesi released a timthumb update just a few days ago. The update can be downloaded on themeforest.

Posted 1 year ago #
martybuckenmeyer
Member

I purchased in May 2011; I think I'm running version 1.1.1. To update, do I just download the 'current' theme from Themeforest and replace the theme on Wordpress? Will I have to rebuild the site again?

Posted 1 year ago #
Chris Beard

When you download the updated version there's a version.rtf file which tells you what has been updated so you can replace the files in question. However, you can just replace the entire theme without your settings being lost since they're stored in the database.. which remains untouched.

Posted 1 year ago #
martybuckenmeyer
Member

Will I have to "purchase" the theme again?

Posted 1 year ago #
Chris Beard

No, all updates are free.

Posted 1 year ago #
martybuckenmeyer
Member

Well, for the time-being then, I guess this is an issue for me to figure out with Themeforest, because I don't see any option on that site to download an 'update.' My only options appear to be downloading the old theme or purchasing the theme. There is no 'update' indicated anywhere...Can you verify that there is, in fact, an update there?

When I figure this first step out, I'll come back. Thanks.

Posted 1 year ago #
martybuckenmeyer
Member

BTW, when I download the 'previously purchased,' theme, the files are identical to what I purchased in May...including the .rtf file. So it looks like maybe it hasn't been updated recently?

Posted 1 year ago #
Chris Beard

Hey,
sorry about that - I must have mislooked at the dates of all the recently updated files. Recently a timthumb vulnerability has come up and it has been patched, it seems it wasn't for habitat. I'll mail Kriesi about the fix.
Again exuse me for the delay/misinformation.

Posted 1 year ago #
Kriesi
Key Master

Hey! Habitat no longer uses the timthumb script, it instead relies on the natural wordpress resizing. I would suggest to simply delete it from the theme folder. I will release an update for the themes that dont rely on it but have a copy of the file in the theme folder next week ;)

Posted 1 year ago #
mediaplana
Member

hej guys, just to let you know. the timthumb.php is still in the theme version on themeforest and it is definitly the old and hacked version last updated on 17th of march 2011 - before the fix. please update asap.

Posted 1 year ago #
Chris Beard

Thanks for letting us know, I'll contact Kriesi about it.

Posted 1 year ago #
ktaylor
Member

Hi,
Our site has recently been hacked. Can I confirm with you that I can simply delete the timthumb.php file and this wont break anything? I am using Display and Newscast.

Thanks!

Posted 1 year ago #
Dude
Dude

You can delete timthumb.php for Newscast (if you're using the latest theme version). As fas as I know Display requires timthumb but the latest theme version (v.2.0.3) comes with the updated timthumb script which is secure.

Posted 1 year ago #