Update on TimThumb.php

We’re back with an update on TimThumb.php.  If you’re not already familiar, please take a moment to read our previous post.

Last time, we were simply getting the word out to help prevent any fallout from using TimThumb, but (mt) realized we could do more.  For starters, we’re scanning the entire (gs) Grid-Service for instances of TimThumb.  When we find it, we’re notifying affected customers via support request.

Help is on the way

In addition, to increase security, we’re adding a custom .htaccess file to affected cache directories.  The “hole” in TimThumb alows hackers to put malicious scripts in the cache directory, which can lead to much bigger problems.  The .htaccess makes sure that even if something harmful is uploaded, it can’t be activated.  If you’re running TimThumb and already had a .htaccess file in your cache directory, we’ll back it up for you. The scanning process will be ongoing – stay tuned for updates here and in the (mt) AccountCenter.

What’s next?

The measures we’ve taken will help, but to stay safe, you’ll want to go a little further.  Here are some tips to make your content more secure:

• Update your copy of TimThumb.php to the latest version.  In fact, keep all third-party software updated at all times.
• Consider using something other than TimThumb, since it’s not 100% secure yet.
• Ideally, you’ll want to look in your cache directory and other folders to see if anything unusual was left behind.  You’ll want to remove anything suspicious or consult a security expert for clarification.
• Update account passwords to enhance security (FTP, DB, etc.).  Make sure to use a mixture of numbers and letters, uppercase and lowercase.  You can read more on password strength here.
• Perhaps most importantly, always make sure to back up your data, so you can easily roll back at any time.

For more security tips, please go here.

As always, we’re here around the clock if you have questions.  Here’s to a safer, more productive hosting experience!