Warnning Vslider Zero Day Vulnerability [4.1.1 / timtumb 2.7]

For the fun a short display of what you will have on your server if you are attacked :

……
-rw——- 1 www-data www-data 56094 2013-02-06 13:56 timthumb_tmpimg_KKdENu
-rw——- 1 www-data www-data 34584 2013-02-06 13:47 timthumb_tmpimg_kKelKl
-rw——- 1 www-data www-data 53351 2013-02-06 13:41 timthumb_tmpimg_KkFPkY
-rw——- 1 www-data www-data 53075 2013-02-06 13:41 timthumb_tmpimg_kkGIuc
-rw——- 1 www-data www-data 46273 2013-02-06 13:34 timthumb_tmpimg_KKi8dN
-rw——- 1 www-data www-data 46438 2013-02-06 14:23 timthumb_tmpimg_KkIobp
-rw——- 1 www-data www-data 50088 2013-02-06 13:46 timthumb_tmpimg_Kkm3A4
-rw——- 1 www-data www-data 50088 2013-02-06 12:42 timthumb_tmpimg_Kkm7b4
………

Server crash due to 100% HD empty. And /tmp is cleaned on, reboot, but refill on eaxh request ….

Please Upgrade to latest version 5.0.0.

In case you have any issues, please post then here: https://vibethemes.com/forums/forumdisplay.php?30-vSlider

Note: We’ve removed Timthumb.php and migrated to responsive Flexslider 2.0.
If your slider was created out of Posts, do not panic. Try out the new vSlider Slide Generator, you’ll get back your slides in matter of seconds.

Hi Mr Vibe,

Thanks you for the upgrade. I recently have lots of security trouble with WP 3.5 and a couple of plugin.

I think it’s a good idea to not use Timthumb.php who use temp file in excessand can filly our server of rubish t’ill go down.

I have to report many attack technics to WP 3.5. It seem, there is an open hole if you allow writing from web server simply.

Mike