Posted 8 months ago #
Hiya!
Awesome plugin :)
Just wanted to let ya know that it incorrectly flags the theme-options.php file in Canvas as a timthumb file. I went through the file and had a look. It contains references to the fact that timthumb is used in the code comments, but no version numbers that I could see.
More of an FYI and notice to anyone else out there - you shouldn't overwrite this file ;)
Thanks again!
http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/
Posted 8 months ago #
I'm working with another Woo Theme - Headlines - and the same thing just happened. Replacing the theme-options.php file with the original did the trick.
Posted 8 months ago #
Hey Guys -
I've had a number of people report this, but I haven't been able to make it happen.
is there any chance you could email me copies of the themes that it's throwing false positives on to peter@codegarage.com? That would be a huuge help for me.
Thanks!
Posted 8 months ago #
Mason was kind enough to send me the file in question - Version 1.3 (which is now showing up on the download page) should prevent this problem from happening.
THanks Mason!
Posted 8 months ago #
My pleasure Peter. Thanks for your contribution to the WordPress community :)
Posted 8 months ago #
Hi Peter,
I'm emailing you one now for the WooTheme - continuum that caused the site to look goofy after upgrading with your plugin.
Posted 8 months ago #
i am getting this error while trying to fix vulnerable timthumb files:
Warning: Cannot modify header information - headers already sent by (output started at D:\Hosting\4793881\html\wp-admin\menu-header.php:97) in D:\Hosting\4793881\html\wp-content\plugins\timthumb-vulnerability-scanner\cg-tvs-filescanner.php on line 410
A TimThumb error has occured
The following error(s) occured:
No image specified
Query String : page=cg-timthumb-scanner
TimThumb version : 2.8
WP has been updated to 3.2.1, object to 1.7.1 and framework to 4.5.3.
any idea on what's up?
thanks!
[a]
Posted 8 months ago #
@aghelfi -
Can you check which version of the scanner plugin you're using? It should be on the plugins page. This happened occasionally with version 1.0 and 1.1, but it was (hopefully) fixed with version 1.3.
Also - can you access the front end of your site after you get that error message?
Posted 8 months ago #
@Peter
Version 1.3
i can access the front end but the thumbnail images are not loading on homepage and archive pages.
if you have a woo account, i also posted in their forum (pasted below)
http://www.woothemes.com/support-forum/?viewtopic=53666
I am having a problem with a WP/object website.
WP has been updated to 3.2.1, object to 1.7.1 and framework to 4.5.3.
Timthumb is not working on the homepage and in the archive pages.
I installed the Timthumb Vulnerability Scanner plugin and can see 2 vulnerable timthumb files in older theme directories but can't fix them due to an error:
Warning: Cannot modify header information - headers already sent by (output started at D:Hosting'93881htmlwp-adminmenu-header.php:97) in D:Hosting'93881htmlwp-contentplugins imthumb-vulnerability-scannercg-tvs-filescanner.php on line 410
A TimThumb error has occured
The following error(s) occured:
No image specified
Query String : page=cg-timthumb-scanner
TimThumb version : 2.8
i unchecked the Dynamic Image Resizer in the object panel, so right now the images on homepage are stretched.
if i reactivate it, the thumbnail aren't been displayed and bring a "bad request", as seen here: http://www.laboutique-galerie.com/wp-content/themes/ObjectLaBoutique/functions/thumb.php?src=wp-content/uploads/2011/09/CSTM01-680x1024.jpg&w=220&h=220&zc=1&q=100
the website is http://www.laboutique-galerie.com
any idea on how to make sure timthumb is working?
Posted 8 months ago #
@Peter
Opening a broken image to another tab gives me that URL:
I don't see a ref to the cache folder so i don't think it is a permission issue.
any idea?
[a]
Posted 8 months ago #
Aghelfi, I'm starting to wonder if this is something your host has done to lock down timthumb vulnerabilities. Have you checked the permissions on the thumb.php file?
Can you try placing a fresh copy of timthumb (http://timthumb.googlecode.com/svn/trunk/timthumb.php) somewhere on the server, and then loading up that url to see if you still ge the "Bad Request" error?
Posted 8 months ago #
@Peter
yes it is possible. That server is on GoDaddy.
i placed a fresh copy of timthumb here
http://laboutique-galerie.com/timthumb.php
i am still getting a bad request there, if that's what you wanted me to do.
If i try to CHMOD using Fetch the freshly uploaded Timthumb, i get this:
SITE CHMOD 666 timthumb.php
500 'SITE CHMOD 666 timthumb.php': command not understood
ftp_cmd/ftp_user: 2,-30000 (state == SETTING_PERMS)
would that make you wonder even more?
[a]
Posted 8 months ago #
Hm. Very strange. Can you try naming the file something else (like tester.php or something) and trying it? If it is being locked down by godaddy, I'm just wondering if they're automatically doing it based on filename or something.
Posted 8 months ago #
Posted 8 months ago #
Fyi i installed a fresh WP/Wootheme/wooframework in a sub folder on the same server and i am getting the same result...
Posted 8 months ago #
It's got to be something to do with your server - I'm just not really sure what could be causing the problem. I'd be surprised if it's godaddy blocking it at this point - blocking files with the same content but different names seems a little intrusive for a host.
Hah - I just did a quick google and found you on stackoverflow - I was just about to point you at that thread...
As somebody else in that thread pointed out - maybe it's something to do with PHP GD (php's graphics library)?
Looks like this is some code to check if GD is installed:
<?php
if (extension_loaded('gd') && function_exists('gd_info')) {
echo "It looks like GD is installed";
}
?>I havent tested it myself, but it looks good. Maybe give that a go?
Posted 8 months ago #
yeah i also have a tread with Woo but they were quick to say "not our fault"... ;)
http://laboutique-galerie.com/GD.php
"It looks like GD is installed"
Posted 8 months ago #
Spent 2 hours with GoDaddy tech support.
GoDaddy says that the thumb.php has either a buggy code (hence the refusal to execute the script) or that it is trying to do something not allowed by godaddy.
I tried to tell them this is an out of the box php that is working on hundreds of thousand of site around the world but that didn't make a difference.
Permissions are set up correctly (that site is on a shared window server so i can't change permission of that specific file but the file inherit the permission from its folder which are set up correctly).
The tech mentioned maybe installing a php5.ini file but that's way above my head.
how does this sounds to you guys?
[a]
Posted 8 months ago #
The biggest red flag to me there is that it's a windows server. Maybe that has something to do with it? Is anyone successfully running the latest version of timthumb on a linux server hosted with godaddy?
I assume by setting up a php5.ini file, he's saying set up this server to run on PHP5 - but the last couple of versions of wordpress have required php5 (I think) - you'd be having a number of other problems if you were running php4. In fact, I think the scanner plugin requires php5 - I think I use some class stuff that didn't exist in php4.
At the end of the day, it basically boils down to the fact that your host isn't going to make this happen for you - so you can either spend some time or money figuring out WHY timthumb won't work on godaddy's servers, and try to get around it, or you can switch to a new host. Or, option 3, stop using timthumb. None of those are great options, I know - but I think that about covers it at this point.
Posted 8 months ago #
i place a comment in the timthumb forum about the shared window server and i'll keep you posted.
thanks for your time peter.
[a]
Posted 8 months ago #
I am using the latest version of timthumb on godaddy LINUX with no problems
Never had a problem running it, either old, or most recent
Posted 8 months ago #
Thanks @Rev. Voodoo, good to know.
is there anybody who has had success with GoDaddy on a window server?
Posted 8 months ago #
I assume by setting up a php5.ini file, he's saying set up this server to run on PHP5
On godaddy, they allow you to change some settings using a php.ini file.
By default if you are using godaddy, you are using php5
however, php4 is available.
php.ini and php4.ini will adjust settings for php4
php5.ini adjusts for php 5
That is most liklely why php5.ini was suggested. The server is almost certainly running php5
Posted 8 months ago #
This is starting to be too technical for me but is there any reason why i would want to use PHP4 instead of 5 to run that timthumb script?
Posted 8 months ago #
@aghelfi: Apologies, that was directed at @Peter Butler for info only in response to his question. I was affirming that you should be on php5, and the difference between the types of php.ini files specific to godaddy
If you bought your hosting in the past couple of years, you should be on php5
You want to be on php5, you would not want 4. Your php should be fine!
Out of curiosity, how established is your site, and is there a reason you need a windows server?
(Switching to linux is free, and far better.... thus the probing questions)
Posted 8 months ago #
I'm seeing rumblings around the webs that you cannot set individual permissions in godaddy windows hosting. Not sure if that affects you, or is still true
Posted 8 months ago #
Voodoo is right - php5 is the way to go. The only reason I brought it up was because WP now requires PHP5, and when users don't use it, problems manifest themselves in some weird ways. Because Godaddy tech support was mentioning a php5.ini file, I was wondering if he was trying to get you to switch TO php5 (like maybe you were currently on php4).
Regardless, it sounds to me like the problem is specific to Windows hosting on godaddy. I'm not sure if it's in your control, but I definitely think it would be worth looking into switching over to linux. For the average site, there's no reason I know of to be on windows - and there are plenty of reasons to be on linux.
Posted 8 months ago #
@Rev.
Regarding the individual permissions on GoDaddy: it's is true. only unix server can set that up individually on file. Window server assign permission per folder. files inside a folder inherit the permission from its folder. Not sure if that affects me, but it is true
Posted 8 months ago #
@Peter/Rev. Voodoo:
I'll talk to my client to see if they're okay with having their site down for 3-4 days, the time it will take to GoDaddy to migrate their site from Window to Lunix. I have no idea why it was set up that way originally. Since they purchased a multi-year hosting package with no refund option, i think it is worth trying this out, before switching hosting company.
Posted 8 months ago #
It took my hosting about 8 hours to transfer.... not that that is an indication of current expectations.
Linux will avoid many headaches down the road
You must log in to post.
