Security issue

[GoogleCodeExporter]

Using version 1.08 of timthumb.php in a WooThemes theme.

A user of WooThemes had problems with the image resizer on his host. This
was the error he was getting:
http://www.pict.com/view/427006/800/4062520not2520acceptable

They eventually got the host to look at it, but they feel this is a
security issue:

The error you are getting from that script now is:
Warning: usort() [function.usort]: The argument should be an array in
/home/b48149/public_html/wp-content/themes/aperture/thumb.php on line 250

The code in question here is:

function cleanCache() {

$files = glob("cache/*", GLOB_BRACE);

/*line 250*/ usort($files, "filemtime_compare");

$i = 0;

if (count($files) > CACHE_SIZE) {

foreach ($files as $file) {

$i ++;

if ($i >= CACHE_CLEAR) {

return;

}

unlink($file);

}

}

}

This wouldn't be a particular problem , but the script then tries to
send headers:

header("Content-Type: image/png");

header("Accept-Ranges: bytes");

header("Last-Modified: " . $gmdate_mod);

header("Content-Length: " . $fileSize);

header("Cache-Control: max-age=9999, must-revalidate");

header("Expires: " . $gmdate_mod);

Which are broken due to the warning output before headers are sent.

The script then outputs an image, which is equally broken due to the
headers failing, so once the original problem on the code:

usort($files, "filemtime_compare");

is fixed, then you should be OK, the recommended fix for this would be
to change line 250 to:

if(is_array($files)) usort($files, "filemtime_compare"); 

Original issue reported on code.google.com by magnusje...@gmail.com on 6 May 2009 at 12:58

[GoogleCodeExporter]

Original comment by BinaryMoon on 2 Jul 2009 at 10:00

• Changed state: Fixed