WordPress.org

Ready to get started?Download WordPress

Forums

Timthumb Vulnerability Scanner
False positive in WooThemes Canvas theme-options.php (35 posts)

  1. masonjames
    Volunteer Moderator
    Posted 2 years ago #

    Hiya!

    Awesome plugin :)

    Just wanted to let ya know that it incorrectly flags the theme-options.php file in Canvas as a timthumb file. I went through the file and had a look. It contains references to the fact that timthumb is used in the code comments, but no version numbers that I could see.

    More of an FYI and notice to anyone else out there - you shouldn't overwrite this file ;)

    Thanks again!

    http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/

  2. ParkerShort
    Member
    Posted 2 years ago #

    I'm working with another Woo Theme - Headlines - and the same thing just happened. Replacing the theme-options.php file with the original did the trick.

  3. Peter Butler
    Member
    Plugin Author

    Posted 2 years ago #

    Hey Guys -

    I've had a number of people report this, but I haven't been able to make it happen.

    is there any chance you could email me copies of the themes that it's throwing false positives on to peter@codegarage.com? That would be a huuge help for me.

    Thanks!

  4. Peter Butler
    Member
    Plugin Author

    Posted 2 years ago #

    Mason was kind enough to send me the file in question - Version 1.3 (which is now showing up on the download page) should prevent this problem from happening.

    THanks Mason!

  5. masonjames
    Volunteer Moderator
    Posted 2 years ago #

    My pleasure Peter. Thanks for your contribution to the WordPress community :)

  6. wpsecuritylock
    Member
    Posted 2 years ago #

    Hi Peter,

    I'm emailing you one now for the WooTheme - continuum that caused the site to look goofy after upgrading with your plugin.

  7. aghelfi
    Member
    Posted 2 years ago #

    i am getting this error while trying to fix vulnerable timthumb files:

    Warning: Cannot modify header information - headers already sent by (output started at D:\Hosting\4793881\html\wp-admin\menu-header.php:97) in D:\Hosting\4793881\html\wp-content\plugins\timthumb-vulnerability-scanner\cg-tvs-filescanner.php on line 410
    A TimThumb error has occured
    The following error(s) occured:
    No image specified
    Query String : page=cg-timthumb-scanner
    TimThumb version : 2.8

    WP has been updated to 3.2.1, object to 1.7.1 and framework to 4.5.3.
    any idea on what's up?
    thanks!
    [a]

  8. Peter Butler
    Member
    Plugin Author

    Posted 2 years ago #

    @aghelfi -

    Can you check which version of the scanner plugin you're using? It should be on the plugins page. This happened occasionally with version 1.0 and 1.1, but it was (hopefully) fixed with version 1.3.

    Also - can you access the front end of your site after you get that error message?

  9. aghelfi
    Member
    Posted 2 years ago #

    @Peter

    Version 1.3

    i can access the front end but the thumbnail images are not loading on homepage and archive pages.

    if you have a woo account, i also posted in their forum (pasted below)
    http://www.woothemes.com/support-forum/?viewtopic=53666

    I am having a problem with a WP/object website.

    WP has been updated to 3.2.1, object to 1.7.1 and framework to 4.5.3.

    Timthumb is not working on the homepage and in the archive pages.

    I installed the Timthumb Vulnerability Scanner plugin and can see 2 vulnerable timthumb files in older theme directories but can't fix them due to an error:
    Warning: Cannot modify header information - headers already sent by (output started at D:Hosting'93881htmlwp-adminmenu-header.php:97) in D:Hosting'93881htmlwp-contentplugins imthumb-vulnerability-scannercg-tvs-filescanner.php on line 410
    A TimThumb error has occured
    The following error(s) occured:
    No image specified
    Query String : page=cg-timthumb-scanner
    TimThumb version : 2.8
    i unchecked the Dynamic Image Resizer in the object panel, so right now the images on homepage are stretched.
    if i reactivate it, the thumbnail aren't been displayed and bring a "bad request", as seen here: http://www.laboutique-galerie.com/wp-content/themes/ObjectLaBoutique/functions/thumb.php?src=wp-content/uploads/2011/09/CSTM01-680x1024.jpg&w=220&h=220&zc=1&q=100

    the website is http://www.laboutique-galerie.com

    any idea on how to make sure timthumb is working?

  10. aghelfi
    Member
    Posted 2 years ago #

    @Peter

    Opening a broken image to another tab gives me that URL:

    http://www.laboutique-galerie.com/wp-content/themes/object/functions/thumb.php?src=wp-content/uploads/2011/09/CSTM01-680x1024.jpg&w=220&h=220&zc=1&q=100

    I don't see a ref to the cache folder so i don't think it is a permission issue.

    any idea?
    [a]

  11. Peter Butler
    Member
    Plugin Author

    Posted 2 years ago #

    Aghelfi, I'm starting to wonder if this is something your host has done to lock down timthumb vulnerabilities. Have you checked the permissions on the thumb.php file?

    Can you try placing a fresh copy of timthumb (http://timthumb.googlecode.com/svn/trunk/timthumb.php) somewhere on the server, and then loading up that url to see if you still ge the "Bad Request" error?

  12. aghelfi
    Member
    Posted 2 years ago #

    @Peter
    yes it is possible. That server is on GoDaddy.

    i placed a fresh copy of timthumb here
    http://laboutique-galerie.com/timthumb.php

    i am still getting a bad request there, if that's what you wanted me to do.

    If i try to CHMOD using Fetch the freshly uploaded Timthumb, i get this:

    SITE CHMOD 666 timthumb.php
    500 'SITE CHMOD 666 timthumb.php': command not understood
    ftp_cmd/ftp_user: 2,-30000 (state == SETTING_PERMS)

    would that make you wonder even more?
    [a]

  13. Peter Butler
    Member
    Plugin Author

    Posted 2 years ago #

    Hm. Very strange. Can you try naming the file something else (like tester.php or something) and trying it? If it is being locked down by godaddy, I'm just wondering if they're automatically doing it based on filename or something.

  14. aghelfi
    Member
    Posted 2 years ago #

  15. aghelfi
    Member
    Posted 2 years ago #

    Fyi i installed a fresh WP/Wootheme/wooframework in a sub folder on the same server and i am getting the same result...

    http://laboutique-galerie.com/2012/

  16. Peter Butler
    Member
    Plugin Author

    Posted 2 years ago #

    It's got to be something to do with your server - I'm just not really sure what could be causing the problem. I'd be surprised if it's godaddy blocking it at this point - blocking files with the same content but different names seems a little intrusive for a host.

    Hah - I just did a quick google and found you on stackoverflow - I was just about to point you at that thread...

    As somebody else in that thread pointed out - maybe it's something to do with PHP GD (php's graphics library)?

    Looks like this is some code to check if GD is installed:

    <?php
    if (extension_loaded('gd') && function_exists('gd_info')) {
        echo "It looks like GD is installed";
    }
    ?>

    I havent tested it myself, but it looks good. Maybe give that a go?

  17. aghelfi
    Member
    Posted 2 years ago #

    yeah i also have a tread with Woo but they were quick to say "not our fault"... ;)

    http://laboutique-galerie.com/GD.php

    "It looks like GD is installed"

  18. aghelfi
    Member
    Posted 2 years ago #

    Spent 2 hours with GoDaddy tech support.

    GoDaddy says that the thumb.php has either a buggy code (hence the refusal to execute the script) or that it is trying to do something not allowed by godaddy.

    I tried to tell them this is an out of the box php that is working on hundreds of thousand of site around the world but that didn't make a difference.

    Permissions are set up correctly (that site is on a shared window server so i can't change permission of that specific file but the file inherit the permission from its folder which are set up correctly).

    The tech mentioned maybe installing a php5.ini file but that's way above my head.

    how does this sounds to you guys?
    [a]

  19. Peter Butler
    Member
    Plugin Author

    Posted 2 years ago #

    The biggest red flag to me there is that it's a windows server. Maybe that has something to do with it? Is anyone successfully running the latest version of timthumb on a linux server hosted with godaddy?

    I assume by setting up a php5.ini file, he's saying set up this server to run on PHP5 - but the last couple of versions of wordpress have required php5 (I think) - you'd be having a number of other problems if you were running php4. In fact, I think the scanner plugin requires php5 - I think I use some class stuff that didn't exist in php4.

    At the end of the day, it basically boils down to the fact that your host isn't going to make this happen for you - so you can either spend some time or money figuring out WHY timthumb won't work on godaddy's servers, and try to get around it, or you can switch to a new host. Or, option 3, stop using timthumb. None of those are great options, I know - but I think that about covers it at this point.

  20. aghelfi
    Member
    Posted 2 years ago #

    i place a comment in the timthumb forum about the shared window server and i'll keep you posted.

    thanks for your time peter.
    [a]

  21. Rev. Voodoo
    Volunteer Moderator
    Posted 2 years ago #

    I am using the latest version of timthumb on godaddy LINUX with no problems

    Never had a problem running it, either old, or most recent

  22. aghelfi
    Member
    Posted 2 years ago #

    Thanks @Rev. Voodoo, good to know.
    is there anybody who has had success with GoDaddy on a window server?

  23. Rev. Voodoo
    Volunteer Moderator
    Posted 2 years ago #

    I assume by setting up a php5.ini file, he's saying set up this server to run on PHP5

    On godaddy, they allow you to change some settings using a php.ini file.

    By default if you are using godaddy, you are using php5

    however, php4 is available.

    php.ini and php4.ini will adjust settings for php4

    php5.ini adjusts for php 5

    That is most liklely why php5.ini was suggested. The server is almost certainly running php5

  24. aghelfi
    Member
    Posted 2 years ago #

    This is starting to be too technical for me but is there any reason why i would want to use PHP4 instead of 5 to run that timthumb script?

  25. Rev. Voodoo
    Volunteer Moderator
    Posted 2 years ago #

    @aghelfi: Apologies, that was directed at @Peter Butler for info only in response to his question. I was affirming that you should be on php5, and the difference between the types of php.ini files specific to godaddy

    If you bought your hosting in the past couple of years, you should be on php5

    You want to be on php5, you would not want 4. Your php should be fine!

    Out of curiosity, how established is your site, and is there a reason you need a windows server?

    (Switching to linux is free, and far better.... thus the probing questions)

  26. Rev. Voodoo
    Volunteer Moderator
    Posted 2 years ago #

    I'm seeing rumblings around the webs that you cannot set individual permissions in godaddy windows hosting. Not sure if that affects you, or is still true

  27. Peter Butler
    Member
    Plugin Author

    Posted 2 years ago #

    Voodoo is right - php5 is the way to go. The only reason I brought it up was because WP now requires PHP5, and when users don't use it, problems manifest themselves in some weird ways. Because Godaddy tech support was mentioning a php5.ini file, I was wondering if he was trying to get you to switch TO php5 (like maybe you were currently on php4).

    Regardless, it sounds to me like the problem is specific to Windows hosting on godaddy. I'm not sure if it's in your control, but I definitely think it would be worth looking into switching over to linux. For the average site, there's no reason I know of to be on windows - and there are plenty of reasons to be on linux.

  28. aghelfi
    Member
    Posted 2 years ago #

    @Rev.
    Regarding the individual permissions on GoDaddy: it's is true. only unix server can set that up individually on file. Window server assign permission per folder. files inside a folder inherit the permission from its folder. Not sure if that affects me, but it is true

  29. aghelfi
    Member
    Posted 2 years ago #

    @Peter/Rev. Voodoo:
    I'll talk to my client to see if they're okay with having their site down for 3-4 days, the time it will take to GoDaddy to migrate their site from Window to Lunix. I have no idea why it was set up that way originally. Since they purchased a multi-year hosting package with no refund option, i think it is worth trying this out, before switching hosting company.

  30. Rev. Voodoo
    Volunteer Moderator
    Posted 2 years ago #

    It took my hosting about 8 hours to transfer.... not that that is an indication of current expectations.

    Linux will avoid many headaches down the road

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic