Timthumb zero day vulnerability: time to get back to basics

It’s time to rethink how we bundle plugins with WordPress themes, and give our endusers the benefit of the doubt that they are smart enough to do some installations and updates on their own.

It’s a little long and techy, but Leland (@themelab) linked to a very disturbing post about timthumb, a script that resizes images and generates thumbnails for use with themes. The vulnerability is fixed, and anyone who updates the timthumb script would be safe.

“Anyone who updates the timthumb script.” And herein lies the problem: that script has been bundled by theme developers for years. Most of the people who download these themes will never know that they are running an old, vulnerable version of timthumb. Some might not even know how to update these. Some have purchased themes based on memberships that may be expired.

There are millions upon millions of vulnerable copies of the script out there, and not enough technically able users who can update this. There’s a fix for this moving forward, but it’s extremely politically incorrect.

Eliminate, as a matter of choice by theme developers, the bundling of plugins.

Instead, devs should include checks in their theme that look for the required plugins, and display a nag message in the admin linking to the WordPress plugin repository. Something. Anything. But not how it’s done today. Because, once a plugin is in the repo and a vulnerability is found and fixed, the developer can mark it as “updated,” which itself produces a nag message in the admin screen to update the plugin.

The architecture exists for issues like this to be avoided entirely. The counterargument—that “users” are too dumb to install a simple plugin which they can find in the repository without even leaving their own admin screens—is pure bullshit. It’s parochial and condescending for a developer to think this way.

WordPress has taken down technical barriers to entry. Despite that, we all need to call upon users to better themselves: to understand the basic basics of running a WordPress-powered site, no matter how “non-technical” they say they are.

Posted on: August 2, 2011 at 7:23 pm under: WordPress

4 Responses

4 Comments to “Timthumb zero day vulnerability: time to get back to basics”

Comments to this entry are closed. You can contact me by email, or you can write about it on your blog and link to this post. Pingbacks are always welcome.

Pingbacks

  • Katie says:

    I see you share interesting things here, you can earn some extra cash, your website has huge potential, for the monetizing method, just type in google – K2 advices how to monetize a
    website

  • Tawanna says:

    I read a lot of interesting content here. Probably you spend a lot of time writing, i know how to save you a lot
    of work, there is an online tool that creates unique, SEO
    friendly posts in seconds, just search in google – laranitas
    free content