WordPress.org

Support

Support » Plugins and Hacks » Timthumb Vulnerability Scanner » [Plugin: Timthumb Vulnerability Scanner] False positive in WooThemes Canvas theme-options.php

[Plugin: Timthumb Vulnerability Scanner] False positive in WooThemes Canvas theme-options.php

  • Hiya!

    Awesome plugin 🙂

    Just wanted to let ya know that it incorrectly flags the theme-options.php file in Canvas as a timthumb file. I went through the file and had a look. It contains references to the fact that timthumb is used in the code comments, but no version numbers that I could see.

    More of an FYI and notice to anyone else out there – you shouldn’t overwrite this file 😉

    Thanks again!

    http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/

Viewing 15 replies - 1 through 15 (of 34 total)
  • I’m working with another Woo Theme – Headlines – and the same thing just happened. Replacing the theme-options.php file with the original did the trick.

    Plugin Author Peter Butler

    @peterebutler

    Hey Guys –

    I’ve had a number of people report this, but I haven’t been able to make it happen.

    is there any chance you could email me copies of the themes that it’s throwing false positives on to peter@codegarage.com? That would be a huuge help for me.

    Thanks!

    Plugin Author Peter Butler

    @peterebutler

    Mason was kind enough to send me the file in question – Version 1.3 (which is now showing up on the download page) should prevent this problem from happening.

    THanks Mason!

    My pleasure Peter. Thanks for your contribution to the WordPress community 🙂

    Hi Peter,

    I’m emailing you one now for the WooTheme – continuum that caused the site to look goofy after upgrading with your plugin.

    i am getting this error while trying to fix vulnerable timthumb files:

    Warning: Cannot modify header information – headers already sent by (output started at D:\Hosting\4793881\html\wp-admin\menu-header.php:97) in D:\Hosting\4793881\html\wp-content\plugins\timthumb-vulnerability-scanner\cg-tvs-filescanner.php on line 410
    A TimThumb error has occured
    The following error(s) occured:
    No image specified
    Query String : page=cg-timthumb-scanner
    TimThumb version : 2.8

    WP has been updated to 3.2.1, object to 1.7.1 and framework to 4.5.3.
    any idea on what’s up?
    thanks!
    [a]

    Plugin Author Peter Butler

    @peterebutler

    @aghelfi

    Can you check which version of the scanner plugin you’re using? It should be on the plugins page. This happened occasionally with version 1.0 and 1.1, but it was (hopefully) fixed with version 1.3.

    Also – can you access the front end of your site after you get that error message?

    @peter

    Version 1.3

    i can access the front end but the thumbnail images are not loading on homepage and archive pages.

    if you have a woo account, i also posted in their forum (pasted below)
    http://www.woothemes.com/support-forum/?viewtopic=53666

    I am having a problem with a WP/object website.

    WP has been updated to 3.2.1, object to 1.7.1 and framework to 4.5.3.

    Timthumb is not working on the homepage and in the archive pages.

    I installed the Timthumb Vulnerability Scanner plugin and can see 2 vulnerable timthumb files in older theme directories but can’t fix them due to an error:
    Warning: Cannot modify header information – headers already sent by (output started at D:Hosting’93881htmlwp-adminmenu-header.php:97) in D:Hosting’93881htmlwp-contentplugins imthumb-vulnerability-scannercg-tvs-filescanner.php on line 410
    A TimThumb error has occured
    The following error(s) occured:
    No image specified
    Query String : page=cg-timthumb-scanner
    TimThumb version : 2.8
    i unchecked the Dynamic Image Resizer in the object panel, so right now the images on homepage are stretched.
    if i reactivate it, the thumbnail aren’t been displayed and bring a “bad request”, as seen here: http://www.laboutique-galerie.com/wp-content/themes/ObjectLaBoutique/functions/thumb.php?src=wp-content/uploads/2011/09/CSTM01-680×1024.jpg&w=220&h=220&zc=1&q=100

    the website is http://www.laboutique-galerie.com

    any idea on how to make sure timthumb is working?

    @peter

    Opening a broken image to another tab gives me that URL:

    http://www.laboutique-galerie.com/wp-content/themes/object/functions/thumb.php?src=wp-content/uploads/2011/09/CSTM01-680×1024.jpg&w=220&h=220&zc=1&q=100

    I don’t see a ref to the cache folder so i don’t think it is a permission issue.

    any idea?
    [a]

    Plugin Author Peter Butler

    @peterebutler

    Aghelfi, I’m starting to wonder if this is something your host has done to lock down timthumb vulnerabilities. Have you checked the permissions on the thumb.php file?

    Can you try placing a fresh copy of timthumb (http://timthumb.googlecode.com/svn/trunk/timthumb.php) somewhere on the server, and then loading up that url to see if you still ge the “Bad Request” error?

    @peter
    yes it is possible. That server is on GoDaddy.

    i placed a fresh copy of timthumb here
    http://laboutique-galerie.com/timthumb.php

    i am still getting a bad request there, if that’s what you wanted me to do.

    If i try to CHMOD using Fetch the freshly uploaded Timthumb, i get this:

    SITE CHMOD 666 timthumb.php
    500 ‘SITE CHMOD 666 timthumb.php’: command not understood
    ftp_cmd/ftp_user: 2,-30000 (state == SETTING_PERMS)

    would that make you wonder even more?
    [a]

    Plugin Author Peter Butler

    @peterebutler

    Hm. Very strange. Can you try naming the file something else (like tester.php or something) and trying it? If it is being locked down by godaddy, I’m just wondering if they’re automatically doing it based on filename or something.

    Fyi i installed a fresh WP/Wootheme/wooframework in a sub folder on the same server and i am getting the same result…

    http://laboutique-galerie.com/2012/

    Plugin Author Peter Butler

    @peterebutler

    It’s got to be something to do with your server – I’m just not really sure what could be causing the problem. I’d be surprised if it’s godaddy blocking it at this point – blocking files with the same content but different names seems a little intrusive for a host.

    Hah – I just did a quick google and found you on stackoverflow – I was just about to point you at that thread…

    As somebody else in that thread pointed out – maybe it’s something to do with PHP GD (php’s graphics library)?

    Looks like this is some code to check if GD is installed:

    <?php
    if (extension_loaded('gd') && function_exists('gd_info')) {
        echo "It looks like GD is installed";
    }
    ?>

    I havent tested it myself, but it looks good. Maybe give that a go?

Viewing 15 replies - 1 through 15 (of 34 total)
  • The topic ‘[Plugin: Timthumb Vulnerability Scanner] False positive in WooThemes Canvas theme-options.php’ is closed to new replies.
Skip to toolbar