How to fix the timthumb problem on many WordPress installs at once
8 August 2011
(reposted from our new Tumblog)
We have a ton of WordPress installs on a few different servers.
Many of them were using timthumb.php — which recently had the WordPress community a-flutter about a “zero day exploit” (see here).
We wanted to fix everything in one fell swoop. Here’s a quick snippet of code that you can run, as root, on your server to update all the instances of timthumb.
#!/bin/sh
mkdir tmp
cd tmp
wget http://timthumb.googlecode.com/svn/trunk/timthumb.php
for timthumb in `locate timthumb.php`; do
cp timthumb.php ${timthumb}
done
You may want to run
updatedb
(also as root) first if you don’t have a cron job setup that keeps the file database that is used by locate.
If you’re not sure how to run this script:
- Become root (su) (or you can run each of the commands below as a sudo’er)
- Save the script above to “fixthumb.sh” (cat > fixthumb.sh then paste the script in, then hit ctrl-c)
- Chmod it to 755 and run it (./fixthumb.sh)
or just run it with sh (/bin/sh ./fixthumb.sh)
If you need the above instructions, that implies you may not know exactly whatchyer doing as root… in which case you should BE REAL CAREFUL D00D! root is dangerous.