Support » Plugin: Timthumb Vulnerability Scanner » [Plugin: Timthumb Vulnerability Scanner] False positive in WooThemes Canvas theme-options.php

  • Hiya!

    Awesome plugin 🙂

    Just wanted to let ya know that it incorrectly flags the theme-options.php file in Canvas as a timthumb file. I went through the file and had a look. It contains references to the fact that timthumb is used in the code comments, but no version numbers that I could see.

    More of an FYI and notice to anyone else out there – you shouldn’t overwrite this file 😉

    Thanks again!

Viewing 15 replies - 16 through 30 (of 34 total)
  • yeah i also have a tread with Woo but they were quick to say “not our fault”… 😉

    “It looks like GD is installed”

    Spent 2 hours with GoDaddy tech support.

    GoDaddy says that the thumb.php has either a buggy code (hence the refusal to execute the script) or that it is trying to do something not allowed by godaddy.

    I tried to tell them this is an out of the box php that is working on hundreds of thousand of site around the world but that didn’t make a difference.

    Permissions are set up correctly (that site is on a shared window server so i can’t change permission of that specific file but the file inherit the permission from its folder which are set up correctly).

    The tech mentioned maybe installing a php5.ini file but that’s way above my head.

    how does this sounds to you guys?

    Plugin Author Peter Butler


    The biggest red flag to me there is that it’s a windows server. Maybe that has something to do with it? Is anyone successfully running the latest version of timthumb on a linux server hosted with godaddy?

    I assume by setting up a php5.ini file, he’s saying set up this server to run on PHP5 – but the last couple of versions of wordpress have required php5 (I think) – you’d be having a number of other problems if you were running php4. In fact, I think the scanner plugin requires php5 – I think I use some class stuff that didn’t exist in php4.

    At the end of the day, it basically boils down to the fact that your host isn’t going to make this happen for you – so you can either spend some time or money figuring out WHY timthumb won’t work on godaddy’s servers, and try to get around it, or you can switch to a new host. Or, option 3, stop using timthumb. None of those are great options, I know – but I think that about covers it at this point.

    i place a comment in the timthumb forum about the shared window server and i’ll keep you posted.

    thanks for your time peter.

    I am using the latest version of timthumb on godaddy LINUX with no problems

    Never had a problem running it, either old, or most recent

    Thanks @rev. Voodoo, good to know.
    is there anybody who has had success with GoDaddy on a window server?

    I assume by setting up a php5.ini file, he’s saying set up this server to run on PHP5

    On godaddy, they allow you to change some settings using a php.ini file.

    By default if you are using godaddy, you are using php5

    however, php4 is available.

    php.ini and php4.ini will adjust settings for php4

    php5.ini adjusts for php 5

    That is most liklely why php5.ini was suggested. The server is almost certainly running php5

    This is starting to be too technical for me but is there any reason why i would want to use PHP4 instead of 5 to run that timthumb script?

    @aghelfi: Apologies, that was directed at @peter Butler for info only in response to his question. I was affirming that you should be on php5, and the difference between the types of php.ini files specific to godaddy

    If you bought your hosting in the past couple of years, you should be on php5

    You want to be on php5, you would not want 4. Your php should be fine!

    Out of curiosity, how established is your site, and is there a reason you need a windows server?

    (Switching to linux is free, and far better…. thus the probing questions)

    I’m seeing rumblings around the webs that you cannot set individual permissions in godaddy windows hosting. Not sure if that affects you, or is still true

    Plugin Author Peter Butler


    Voodoo is right – php5 is the way to go. The only reason I brought it up was because WP now requires PHP5, and when users don’t use it, problems manifest themselves in some weird ways. Because Godaddy tech support was mentioning a php5.ini file, I was wondering if he was trying to get you to switch TO php5 (like maybe you were currently on php4).

    Regardless, it sounds to me like the problem is specific to Windows hosting on godaddy. I’m not sure if it’s in your control, but I definitely think it would be worth looking into switching over to linux. For the average site, there’s no reason I know of to be on windows – and there are plenty of reasons to be on linux.

    Regarding the individual permissions on GoDaddy: it’s is true. only unix server can set that up individually on file. Window server assign permission per folder. files inside a folder inherit the permission from its folder. Not sure if that affects me, but it is true

    @peter/Rev. Voodoo:
    I’ll talk to my client to see if they’re okay with having their site down for 3-4 days, the time it will take to GoDaddy to migrate their site from Window to Lunix. I have no idea why it was set up that way originally. Since they purchased a multi-year hosting package with no refund option, i think it is worth trying this out, before switching hosting company.

    It took my hosting about 8 hours to transfer…. not that that is an indication of current expectations.

    Linux will avoid many headaches down the road

    godaddy tech support told me “3 days” yesterday. i’ll keep everybody posted. still waiting for a reply from timthumb support page.

Viewing 15 replies - 16 through 30 (of 34 total)
  • The topic ‘[Plugin: Timthumb Vulnerability Scanner] False positive in WooThemes Canvas theme-options.php’ is closed to new replies.