WordPress.org

Forums

WordPress Popular Posts
[resolved] cross site scripting bug (2 posts)

  1. wojboj
    Member
    Posted 3 years ago #

    timthumb.php does not properly escape results when it fails to find file from argument.

    it's just:
    function displayError($errorString = '') {
    header('HTTP/1.1 400 Bad Request');
    - die($errorString);
    + die(htmlspecialchars($errorString));
    }

    why nobody fixes that?

    http://forums.cnet.com/7726-6132_102-5070628.html

  2. Héctor Cabrera
    Member
    Plugin Author

    Posted 3 years ago #

    Hi wojboj,

    Currently, WordPress Popular Posts has dropped support for timThumb because of its security issues. My plugin now relies on WordPress' Post Thumbnail feature to retrieve the images.

    If you still want to use TimThumb, I'd suggest you to update the script that my plugin uses with the latest version (you can find it here: http://code.google.com/p/timthumb/) and do not upgrade to WordPress Popular Posts v.2.1.5.

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • WordPress Popular Posts
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic