Avatar of David

ClassiPress 3.1.4 = TimThumb Security Patch

August 17, 2011 | David | Updates

Many of you have likely heard about the recent TimThumb security vulnerability and we wanted to address the issue as well. Timthumb is a popular image resizing script that is used in many WordPress themes (including ClassiPress).

Recently a vulnerability was discovered within the script that allows hackers to upload and execute arbitrary PHP code within your TimThumb cache directory. It can potentially hijack your website and bring down your WordPress site.

This vulnerability exists in ClassiPress versions 2.9.3 or higher (the majority of our customers) so it’s highly recommended to upgrade immediately. The author has provided a fix and we quickly rolled out a patch to address this. The latest version of ClassiPress (v3.1.4 or higher) is no longer vulnerable.

Who does this affect?

Any customer using ClassiPress version 3.0 or higher. We introduced TimThumb in ClassiPress 3.0 to replace a different image resizing script. It is basically there to support legacy ads (2.9.3 or earlier) so the majority of you don’t even need it.

How can we fix it?

The easiest way is to just upgrade to 3.1.4. If you don’t want to upgrade and you purchased 3.0 or higher, then at the very least, delete /classipress/includes/timthumb.php and empty the /classipress/includes/cache/ folder (delete all files in there). If you don’t see a cache folder you can skip that step.

Customers who purchased 2.9.3 or earlier

You likely have legacy ads which require TimThumb to work correctly. Upgrading to 3.1.4 is ideal but if you don’t want to upgrade, then at the very least, upgrade your /classipress/includes/timthumb.php to the latest version and empty the /classipress/includes/cache/ folder (delete all files in there). If you don’t see a cache folder you can skip that step.

  1. Login to your WordPress back-end
  2. Go to appearance => editor and find “timthumb.php”
  3. Replace the entire code with the updated TimThumb

How can I get the fix?

It can be downloaded from your customer dashboard. You can either apply the patch or install the full theme again. The release notes go into detail as to what is included in the update.

What else was done?

In addition to fixing the TimThumb security vulnerability, we have done an overall security sweep and tightened things up. This update makes ClassiPress the most secure release we’ve done to-date.

Important

Delete any old versions of ClassiPress you may have sitting on your web server. They are susceptible to being exploited even though they may not be your active theme. You should only have the latest version on your site.

  1. Login to your WordPress back-end
  2. Go to appearance => themes
  3. Delete any old versions of ClassiPress. Make sure not to delete your active version.

We’re sorry for the inconvenience but please make sure to upgrade ASAP to avoid your site from being hacked.

Your rating: none
Rating: 0 - 0 votes

Popular Marketplace Items

  • flatron-thumbnail
    $39

    Flatron

     (12)
    A modern & clean flat design child theme for ClassiPress.
  • thumbnail-190x130
    $29

    Vantage Search Auto Suggest

     (6)
    Enables a Google-like auto suggest search feature within Vantage.
  • thumbnail
    $9

    Ribbons

     (4)
    A plugin to add ribbons and tags to ClassiPress ads.
  • Ad-stuffer-vantage
    $19

    Ad Stuffer Vantage

     (1)
    Place more banner ads and AdSense ad spaces on your Vantage site.
  • ACFhyperlink-thumbnail
    $9

    ACF :: Hyperlink

     (4)
    Convert values of an ad or profile custom field into a fully customizable hyperlink.
  • CPAffiliate-thumbnail
    $29

    CP Affiliate Plugin

     (3)
    A powerful, feature-rich affiliate program plugin for ClassiPress.
  • appmaps-bing-thumbnail
    $9

    AppMaps Bing

     (1)
    Replace Google Maps with Bing Maps on your Vantage site.
  • Multi-City JR
    $29

    Multi-City JR

     (7)
    Adds location based city filters to JobRoller.
  • skye-190-logo
    $49

    Skye

     (9)
    Multiple color combinations. Clean responsive design. Compatible with WooCommerce.
  • thumbnail_1
    $39

    TwinPress Classifieds

     (2)
    Ultra-clean responsive ClassiPress child theme that will work by itself or as part of a network.
  • thumbnail-jobsapp
    $49

    Jobsapp Job board

     (10)
    A premium responsive JobRoller child theme with an advanced theme options panel.
  • designerpress-thumbnail-alt
    $39

    DesignerPress

     (1)
    Redesign your ClassiPress site without using a child theme.

13 Responses to “ClassiPress 3.1.4 = TimThumb Security Patch

  1. Avatar of altor25

    2 Comments

    6/11 Joined

    I noticed that if you just want to fix the Timthumb issue fall under ‘Customers who purchased 2.9.3 or earlier’ you can just replace the code.

    I currently have 3.1.3 installed, am I also able to implement this quick fix?

    • Avatar of David

      56 Comments

      7/10 Joined

      @altor25, yes as long as you replace it with the latest version of TimThumb (linked above).

  2. Avatar of gayanb

    I got 3.1.3 and I deleted the file(timthumb.php). But I cannot fine a folder as “/classipress/includes/cache/”. Do I need some setting to enable caching ?

    • Avatar of David

      56 Comments

      7/10 Joined

      @gayan, if you don’t see a cache folder, you can skip that step. If TimThumb was never used (which it sounds like is your case) then the cache folder would have never been created.

  3. Why did it take so long to notify users of this vulnerability?

    • Avatar of Shannon Dunn

      428 Comments

      3/11 Joined

      A user posted in the forum about this vulnerability. As soon as we heard, we got to work on a patch and released just a couple of days later. At the same time, we did security review so we could tighten up any other possible issues with the same security patch.

      If You have not downloaded the security patch yet, we strongly suggest doing so now.

      Like

  4. Avatar of procyon

    1 Comment

    12/10 Joined

    can you post the 3.1.3 upgrade guide since there were a few files that were modified.

  5. My classipress is 3.14 and just installed few days ago.

    but Hostmonster noticed me yesterday they found exploitable timthumb.php file(s) on my account. It is highly recommended update these files to the latest available version to prevent possible compromise.

    Do I need to update again? or there is other newest timthumb.php or classipress version will be released for this case.

    Thanks!

    • Avatar of David

      56 Comments

      7/10 Joined

      @Jacgo, 3.1.4 has the latest version of TimThumb so you should be fine. ;-)

      Like
      Anonymous likes this.

  6. Avatar of andreio

    Apparently many wordpress theme use TimThumb since I’ve seen the security news on several other website … and I think it’s cool that all themes developers are so fast when it comes to security issue to be fixed …

    • Avatar of Shannon Dunn

      428 Comments

      3/11 Joined

      Thanks, Kreativ Theme. We try to do all we can to keep our themes as secure as possible.

  7. I’ve just replaced my timthumb.php with the updated version. No cache dir found so I guess I was lucky…
    Does anyone know of a scanner that can help us make sure we’ve got this covered?

    Thanks,
    AReis

Discussion is closed.