WordPress.org

Ready to get started?Download WordPress

Forums

User Avatar
Uses malware-vulnerable version of timthumb/uploadify (4 posts)

  1. magicke
    Member
    Posted 2 years ago #

    Any updates to this plugin?

    It uses a modified(?) timthumb or uploadify script that's used by some haxors as a backdoor for malware insertions to WP sites.

    Identified user-avatar-pic.php as file that needs to be updated, at least.

    http://wordpress.org/extend/plugins/user-avatar/

  2. enej
    Member
    Plugin Contributor

    Posted 2 years ago #

    Hi Magicke

    The timthumb file was modified so that it doesn't accept external files which was caused to malware attacks. It doesn't even use the src parameter that regular timthumb uses, instead it uses an ID get parameter to generate the url to the user uploaded image.

    The timthumb volurnability scan is a great tool and I think everyone should use it, however it doesn't detect. I will be working on a fix for this, but for now you don't have to worry about user-avatars.

  3. magicke
    Member
    Posted 2 years ago #

    Thanks for the update on this enejb.

    With the (still) ongoing problems caused by the timthumb vulnerability and its aftermath of code fragments and other artifacts, we'd been a bit paranoid about any suspicious file reported by the scanners we've been using.

    (Which isn't much, considering a lot of us don't work for some large corp that can afford the licensing fees charged by providers of these heavy-duty scanning apps, systems and services.)

  4. enej
    Member
    Plugin Contributor

    Posted 2 years ago #

    Hi Magicke
    I just wanted to let you know that the new version 1.4 and up does shouldn't have issues with this it uses the latest version of the timthumb

    Cheers

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic