(reposted from our new Tumblog)

We have a ton of WordPress installs on a few different servers.

Many of them were using timthumb.php — which recently had the WordPress community a-flutter about a “zero day exploit” (see here).

We wanted to fix everything in one fell swoop. Here’s a quick snippet of code that you can run, as root, on your server to update all the instances of timthumb.

#!/bin/sh
mkdir tmp
cd tmp
wget http://timthumb.googlecode.com/svn/trunk/timthumb.php
for timthumb in `locate timthumb.php`; do
cp timthumb.php ${timthumb}
done

You may want to run

updatedb

(also as root) first if you don’t have a cron job setup that keeps the file database that is used by locate.

If you’re not sure how to run this script:

1. Become root (su) (or you can run each of the commands below as a sudo’er)
2. Save the script above to “fixthumb.sh” (cat > fixthumb.sh then paste the script in, then hit ctrl-c)
3. Chmod it to 755 and run it (./fixthumb.sh)
   or just run it with sh (/bin/sh ./fixthumb.sh)

If you need the above instructions, that implies you may not know exactly whatchyer doing as root… in which case you should BE REAL CAREFUL D00D! root is dangerous.