Hi Magicke
The timthumb file was modified so that it doesn’t accept external files which was caused to malware attacks. It doesn’t even use the src parameter that regular timthumb uses, instead it uses an ID get parameter to generate the url to the user uploaded image.
The timthumb volurnability scan is a great tool and I think everyone should use it, however it doesn’t detect. I will be working on a fix for this, but for now you don’t have to worry about user-avatars.
Thanks for the update on this enejb.
With the (still) ongoing problems caused by the timthumb vulnerability and its aftermath of code fragments and other artifacts, we’d been a bit paranoid about any suspicious file reported by the scanners we’ve been using.
(Which isn’t much, considering a lot of us don’t work for some large corp that can afford the licensing fees charged by providers of these heavy-duty scanning apps, systems and services.)
Hi Magicke
I just wanted to let you know that the new version 1.4 and up does shouldn’t have issues with this it uses the latest version of the timthumb
Cheers
