An exploit that allows remote attackers to take over your Web site has been found in the extremely popular TimThumb photo-resizing script.
The vulnerability allows third parties to upload and execute arbitrary PHP code in the TimThumb cache directory. Once the PHP code has been uploaded and executed, your site can be compromised however the attacker likes.
We recommend deleting timthumb.php or thumb.php if your site will work without them. If the file exists in a theme or plugin that you’re no longer using you may want to remove the entire theme or plugin directory. After you remove the TimThumb library make sure you check that your site is still working correctly.
This is potentially a massive threat because, literally, millions of Web sites use the Tim Thumb script. And every one of them needs to be updated. Help spread the word.
For complete technical details, visit the post detailing the discovery on Mark Maunder’s site.