Forums

WordPress › Support » Plugins and Hacks

Shortcodes Ultimate
[resolved] SECURITY FLAW (TimThumb exploit) (10 posts)

  1. pbosakov
    Member
    Posted 4 months ago #

    This plugin ships with an outdated version of the timthumb.php script, which has a serious security vulnerability. Please update timthumb.php to the newest available version.

    File to replace: lib/timthumb.php
    New version available here: http://timthumb.googlecode.com/svn/trunk/timthumb.php

    http://wordpress.org/extend/plugins/shortcodes-ultimate/

  2. Mark (podz)
    Support Maven
    Posted 4 months ago #

    Did you email the author to let them know or just post here?

  3. pbosakov
    Member
    Posted 4 months ago #

    The author seems to be actively monitoring this forum, so I'm sure he'll see it. I wasn't able to find any other contact info.

  4. Mark (podz)
    Support Maven
    Posted 4 months ago #

    I have also emailed them so it should be addressed soon.

  5. gn_themes
    Member
    Posted 4 months ago #

    Hi all.

    No need to use my email for these reasons, it's only for translators.

    Script timthumb, included in the plugin, was updated in 3.2.1 and now safe.

    http://wordpress.org/support/topic/plugin-shortcodes-ultimate-this-plugin-is-on-the-list-of-hacks-1?replies=5

  6. pbosakov
    Member
    Posted 4 months ago #

    The current version uses TimThumb 2.8 which is better than the older versions, but still not 100% safe. I'd recommend to upgrade to the newest one :-)

    http://code.google.com/p/timthumb/issues/detail?id=273

  7. gn_themes
    Member
    Posted 3 months ago #

    Ok, thanks for report. I'll put it to the TODO list.

  8. lindebjerg
    Member
    Posted 3 months ago #

    Why must I read this before posting, It have costed me a LOT of trouble, I want people to be safe using Plugins, NOT LIKE THIS! If its still OUTDATED it is STILL NOT SAFE!
    My site is now BLACKLISTET because of this Plugin. Everyone must have the right to know about the risk using a UDDATED PLUGIN!

  9. gn_themes
    Member
    Posted 3 months ago #

    You can just not use this plugin and have no problems.

    PS - I do it absolutely free, and will be grateful for the friendly chat

  10. wowmediakft
    Member
    Posted 3 months ago #

    Hi!

    @gn_themes: first of all, thank you for the great plugin. I truly believe this is a nice tool for WP and I am grateful to you for dedicating your time to developing this for the community.
    Having said that, I had emailed you long time ago about the timthumb vulnerability (which I unfortunately found out about the hard way as one of the sites I managed got hacked) and never received a reply.

    It should not be so hard to keep updated with this issue, which is now known since months as a known security flaw.

    Currently, you're using v2.8.5, which should be safe (v prior to 2.8.2 are considered not safe), but the latest version is 2.8.9 and it seems to run without issues with Shortcodes Ultimate.

    At any rate, a free plugin is available that scans for timthumb library (there could be multiple copies in case there is more than 1 plugin using it) and can also automatically upgrade it to the latest version. You can search on the repository for "Timthumb scanner".

    Hope this helps.

Reply

You must log in to post.

About this Plugin

About this Topic

Tags