define ('WEBSHOT_ENABLED', false); to your wp-config.php file.A security vulnerability within the TimThumb image resizing script was recently brought to light. This vulnerability uses the webshots feature (in beta) in TimThumb to gain unauthorised access to a website running TimThumb.
TimThumb, bundled into our WooFramework, is a script we keep a close eye on, to ensure it is safe and secure for you, our customers. While we are working through steps to remove TimThumb from our framework, the script is currently present in the WooFramework.
How to stay safe
By default, the webshots feature is disabled. This means that, unless you specifically enabled the feature on your website (via code), your website is not vulnerable to this exploit.
As your website’s safety and security is of paramount importance to us, we’d like to provide a few extra tips for further safeguarding your website against this particular exploit.
Please ensure that, in your wp-config.php file, you have the following line:
define ('WEBSHOT_ENABLED', false);
This ensures that the webshots feature in TimThumb is disabled.
Please note that this is a safeguard and not required in order for your website to function.
Stay safe, everyone.
About
Note that if you copy the code above it will contain curly single quote, which will not work. The quotes around WEBSHOT_ENABLED need to be changed to regular single quotes.
Thanks for pointing that out. I’ve updated the code inside the blog post to remedy this. 🙂
I can’t believe you’re still using TimThumb.
http://dl.dropbox.com/u/144582/Screenshots/p_.png
You’re putting your customers in danger for such an unimportant feature—one fairly well replaceable by built-in WordPress functions: http://wpengine.com/2011/06/13/how-to-avoid-the-timthumb-script/
Hi Jason,
I’ve made a note in the blog post that we’re looking to remove it from our Framework.
We’re hoping to have this removed in the next big code sprint following WooFramework 6.0. 🙂
Are you guys still making themes?? last release was in February???
ok, I see one was released in April as well… so yeah…
We are, just on a slower pace. We’re no longer committing to doing one new theme a month. Instead taking our time on new themes, and as you’ve seen, completely redone an existing theme. Spectrum was completely redone to bring it up to par with what a modern theme should be. 🙂
Our goal is to have a smaller theme catalogue but all those themes in there should be robust, modern, and as flexible as possible.
When I signed up you sold me 3 themes per month… gradually that has been whittled down first to two, but Magnus told me it would usually be 3, then to two for sure.. then down to one but I was assured that was the last cut… now you are basically telling us that “hey, you pay your monthly subscription (yes, I realize you gave us a free year) every month on top of the big chunk that you paid when you initially purchased your developer club membership.. but were not going to commit to providing you anything for that monthly fee… so, just keep paying that and we will give you whatever we feel like… What have I been paying for every month for over 5 YEARS?? Eventually my cost/value points will intersect and switch to a point where I would have been better off just buying each theme individually as I needed them instead of paying for my membership.. but guess what, at that point I can’t change that because if I stop paying my monthly fee I lose access.. so I am essentially stuck paying every month just so I don’t throw every $ I have given you guys away completely. You can’t make a commitment then un-make it.. that isn’t how that works… would you guys benefit from a description of the word commitment??
com·mit·ment [kuh-mit-muhnt]
noun
1. the act of committing.
2. the state of being committed.
3. the act of committing, pledging, or engaging oneself.
4. a pledge or promise; obligation: We have made a commitment to pay our bills on time.
5. engagement; involvement: They have a sincere commitment to religion.
Bottom line, either you don’t care or you think we don’t care… which is it?
I just learned about the web. and I am very happy to read this article. very useful so that our website is always secure. thank you
http://www.obatsesaknapas.com
So, my last comment is not going to get a reply and you will just leave spam links on your site?? I guess I should sign up for a few affiliate programs and just start littering crap links all over your posts then….
Hola! he acabado de leer tu entrada y me apetece agradecerte que hayas dedicado tu tiempo en escribir toda esta información tan jugosa para las que estamos perdiendo peso. Muchas gracias por tu blog!! Y un saludo!!