TimThumb exploitable file

Discussion in 'NomNom Theme' started by Paul Anning, Mar 15, 2012.

  1. Paul Anning

    Paul Anning New Member

    First of all I have got to say that I love the NomNom theme. It's easily one of the best looking and easily customizable themes out there.

    Just a heads up. I recently got an email sent to me from a Host Company with the following information:


    Perhaps this information will be useful to you. I personally don't use the slider in the NomNom theme so I have simply deleted the timthumb.php file out of the nomnom-slider folder.

    Cheers again for all your great work.

    ATB, Paul
     
  2. Zeaks

    Zeaks Author Staff Member

    Thanks Paul, but the included Timthumb file had already been updated and the exploit fixed following the guide given by the author.

    This was the issue
    PHP:
    define'ALLOW_EXTERNAL'false );
    $allowedSites = array(
        
    'flickr.com',
        
    'picasa.com',
        
    'img.youtube.com',
    );
    The file included with NomNom should show
    PHP:
    $allowedSites = array();
    The modified Timthumb version of the file included with NomNom was probably what your host noticed.
    You can read more about the fix here and compare it with the file. http://eyuva.com/2011/09/how-to-be-safe-with-timthumb-php.html
     
  3. Paul Anning

    Paul Anning New Member

    Thank you, Zeaks!

    That's good news. I found it odd that there was something off with the theme when everything else in the theme is so great!

    Keep up the fantastic work and thank you again for the super-fast reply (and the great theme of course too).

    Cheers, Paul
     

Share This Page