We are turning on a new detection application that will scroll your WP install looking for insecure versions of the TimThumb script.
Why you ask? Because we’ve found that blogs running older versions of TimThumb are more susceptible to malware injections than other blogs running at least version 2.8 of TimThumb.
What are we doing about it? We scan the files in your installation (themes, plugins, etc) regularly. If we find an older, vulnerable, version of TimThumb in your WordPress install, we replace it with the most recent version available, found here, and send you an email.
This helps make the world a safer place.
What about my ALLOWED_SITES configuration?
My custom configurations got blown away. Try defining ALLOW_ALL_EXTERNAL_SITES to TRUE outside of the actual timthumb script. Following the TimThumb instructions, this is done in a file called timthumb-config.php in the same directory as the timthumb script. It looks there for config options.
1) Create a file called timthumb-config.php in the same directory as the timthumb script.
2) Define ALLOW_ALL_EXTERNAL_SITES in that file to true.
3) Create and populate an ALLOWED_SITES array to sites that you want to customize. Like this.
$ALLOWED_SITES = array (
‘flickr.com’,
‘staticflickr.com’,
‘picasa.com’,
‘img.youtube.com’,
‘upload.wikimedia.org’,
‘photobucket.com’,
‘imgur.com’,
‘imageshack.us’,
‘tinypic.com’,
‘last.fm’
);
Johann says
Just finished moving to WP Engine and I can already see the difference in support and reliability.
Thanks for the update guys.
Keep up the good work!
-Johann
Richard says
It’s service like this that makes me a happy camper, I would never have found this vulnerability.
Acting Australia
Tim Daniels says
So I’ve just received notification that you have replaced my version automatically.
Found version 2.8.14 ..Replaced with 2.8.13.1
Is there a reason why you have downgraded my version?
Or am I missing something?
Thanks.
Jon says
Same here. They downgraded my version to an older, less secure one. No wonder, as the googlecode.com link mentioned above is dead. The WPEngine “upgrade” script must look for anything that is not version “2.8.13.1” and replace it, **without actually checking** for more recent versions.
Dumb! Thanks for nothing!
Jon says
The version in included with the plugin “Justified Image Grid” is 2.8.14 and includes several additional security fixes. The WPEngine “Auto-replace” re-introduces security flaws that version 2.8.14 removes (I just looked through the actual source code of both versions with WinMerge to highlight all differences and can confirm that the WPEngine version is less secure, as well as breaking the “Justified Image Grid” plugin).
Also, the most recent version of Tim Thumb is here, and has no security issues:
https://github.com/tacnoman/thumcno
Jon says
Same here. They downgraded my version to an older, less secure one. No wonder, as the googlecode.com link mentioned above is dead. The WPEngine “upgrade” script must look for anything that is not version “2.8.13.1” and replace it, **without actually checking** for more recent versions. This is a very bad idea.
The version in included with the plugin “Justified Image Grid” is 2.8.14 and includes several additional security fixes. The WPEngine “Auto-replace” re-introduces security flaws that version 2.8.14 removes (I just looked through the actual source code of both versions with WinMerge to highlight all differences and can confirm that the WPEngine version is less secure, as well as breaking the “Justified Image Grid” plugin).
Also, the most recent version of Tim Thumb is here, and has no security issues:
https://github.com/tacnoman/thumcno
P.S. WPEngine Moderators:
Please respond to this serious problem with your auto-update feature, instead of deleting my very informational comment to you (as you just did).