[qeorge]

FWIW: We had an older version of timthumb which uses preg_match instead of strpos, but suffers from the same flaw. The relevant line looks like this:

    if (preg_match($site, $url_info['host']) == true) {

Good catch, Mark.

[teyc]

I have a version that does this:

   function clean_source ( $src ) {

    // remove http/ https/ ftp
    $src = preg_replace("/^((ht|f)tp(s|):\/\/)/i", "", $src);
    // remove domain name from the source url
    $host = $_SERVER["HTTP_HOST"];
    $src = str_replace($host, "", $src);
    $host = str_replace("www.", "", $host);
    $src = str_replace($host, "", $src);

This version doesn't allow external sources at all by the look of it.