WordPress.org

Ready to get started?Download WordPress

Forums

Shortcodes Ultimate
[resolved] Make timthumb optional (5 posts)

  1. vadaprime
    Member
    Posted 2 years ago #

    Great plugin My first request is in regards to timthumb.

    I've been able to patch the code to not use timthumb and the results are pretty clean. I think timthumb should be optional and the following strategy should be used instead in images.php:

    $src = wp_get_attachment_image_src(get_post_thumbnail_id($attachment->ID), array($width,$height) );

    $thumbnail = $src[0]

    This works well for me since my theme has a lot of different thumbnail sizes registered. The result is a lot less resources being used and better security.

    Also in the Google Maps shortcode is there a way to support passing in a manual name for the address?

    Thanks,

    Vada

    http://wordpress.org/extend/plugins/shortcodes-ultimate/

  2. jeeni
    Member
    Posted 2 years ago #

    I agree - I've been just manually disabling the timthumb.php every time I upgrade this plugin because a couple of my sites have been hacked through timthumb.

    It would be super-nice if timthumb weren't in the mix with this plugin.

  3. Vladimir Anokhin
    Member
    Plugin Author

    Posted 2 years ago #

    Unfortunately, I don't have this in the plans.

    At this moment gmap shortcode already supports manual adresses. Hope I understand you correctly.

  4. jeeni
    Member
    Posted 2 years ago #

    I'm sorry to hear that.

    Because my sites and my client's sites were hacked by a trojan through Timthumb, I've been manually deleting the timthumb.php file in your excellent plugin:

    http://markmaunder.com/2011/08/01/zero-day-vulnerability-in-many-wordpress-themes/

    (Specifically check out the text below the heading "Full post:" about halfway down the story.)

    ---

    I thought removing all external sites would fix the problem but that did not. The hacker(s) were manually linking to the timthumb.php file and uploading php files to a cache folder. Then they accessed that file and opened my server up for exploit, loading encrypted base 64 code somewhat randomly throughout.

    It's a bit of a pain in the neck to remember to delete the file - especially easy to forget when upgrading. One night I installed your plugin on a fresh site and forgot to delete timthumb.php. The next day, was getting a screen similar to this when navigating to the basically empty/twentyeleven site install:

    http://www.websitedefender.com/wp-content/uploads/2012/04/malware-google-image.jpg

    So, I will continue to be diligent about deleting timthumb.php.

  5. momofone
    Member
    Posted 2 years ago #

    @vadaprime

    Please could you post your images.php to pastebin and post the link?

    Thx.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic