Jeremy Kirk of IDG News reports Mark Maunder, the CEO of Feedjit, discovered the problem when his own blog started loading ad content when previously his blog contained no ads. He blogged about the problem, tracing it to an issue with the “timthumb.php” library, which is used within the theme he purchased for his blog.
“Since it’s already in the wild and I just got hacked by it, I figure it’s OK to release the vulnerability to the general public,” Maunder wrote.
“The developer of TimThumb, Ben Gillbanks, was the first to comment on Maunder’s post. “I can’t apologize enough for this oversight in the code and hope nobody has anything too bad happen to their sites because of my error.”
Gillbanks recommended that people use the latest version of TimThumb. “There have been a stack of tweaks that will make the script harder to abuse,” Gillbanks wrote.”
Read more on PC World
Download the latest version of TimThumb: http://code.google.com/p/timthumb/