As you may know, a major vulnerability has been found in the TimThumb image resizing script.
Do you plan to modify your themes to either remove TimThumb or patch the vulnerability?
Thanks,
Mark
TimThumb Vulnerability
(14 posts)
(5 voices)
-
Elliott
SupportHey markb1439,
A member of our team came across it on themeforest. For now switch to Wordpress image resizing as explained above and delete the following from your server,
/wp-content/themes/[your_theme]/lib/scripts/thumb.phpWe'll get together with our devs to see what the best course of action would be.
Posted 9 months ago # -
markb1439
MemberThanks. We are able to switch to WordPress resizing easily, however we want to include some of the themes on a multisite installation. How can we force that option to be set to WordPress resizing by default? It seems to default to TimThumb.
Thanks for the great themes and great support!
Mark
Posted 9 months ago # -
Elliott
SupportIt is kind of complex markb1439 but what you'll want to do is setup all of your options to however you want the new sites to use them and then click on the "advanced" tab. In the "export" field you'll see a bunch of jumbled up code.
You'll want to copy this code and open up,
/wp-content/themes/[your_theme]/lib/admin/functions/core.php, and on line 464 you should see this,$default_options = '7VpLj9s4Ev4rBAbIyWNb8t continues to infinity and beyond...You'll want to paste the code that you copied inside that variable and when you reset your options or create a new site your options will load instead.
You may also want to open up
/wp-content/themes/[your_theme]/lib/admin/options/mysite-options.phpand delete line 295,'timthumb' => __( 'Timthumb', MYSITE_ADMIN_TEXTDOMAIN )So the users cannot select timthumb anymore. If you delete the thumb.php as explained in the previous posts then it won't load regardless but this will make sure your users do not mess up the image resizing by clicking that option.
Posted 9 months ago # -
avatar12
MemberI followed the instructions given over on woothemes to make timthumb more secure. Essentially it involves copying over the newest version and then disabling external sites. Took about 2 minutes to do.
http://www.woothemes.com/2011/08/timthumb-security-flaw-patch/
Posted 9 months ago # -
Elliott
SupportForgot to update this thread, we had an update two days ago, version "2.3" for awake and infocus and version "1.3" for all our new themes which fixes this.
@mytzlplik, yes this is safe. See here, http://mysitemyway.com/support/topic/changing-fancy-box-size#post-25271.
Posted 9 months ago # -
Do you have a theme update email distribution list for which I can sign up? We need to have notices proactively pushed our way, especially when security fixes are involved.
Would be great if you would add theme updating within WordPress into your framework. The approach StudioPress.com is the best we've yet seen.
Please advise.
Posted 9 months ago # -
Elliott
SupportHello heartcore,
You can subscribe to our blog feed, http://mysitemyway.com/feed/, where we post announcements, new skins, and updates.
Thanks for the suggestion, we'll look into it.
Posted 9 months ago # -
Thanks, Elliott. I'm subscribed now.
Please seriously consider upgrading your standard WordPress feed to Google's free Feedburner service. That way, customers like myself could subscribe and be auto-pushed email updates of new blog posts for zero extra work on your end.
Posted 9 months ago # -
Elliott
SupportHello markb1439,
If your using Awake 1.3 the one I linked to here, http://mysitemyway.com/support/topic/changing-fancy-box-size#post-25271, should be the latest. If you want to use another version you should be able to just drag and drop it in the /lib/scripts/ directory and rename it to thumb.php
If your using 2.3 then your already using the latest version.
Posted 9 months ago #
Reply
You must log in to post.
Topic Tags
- Started 9 months ago by markb1439
- Latest reply from Elliott
- This topic is resolved
