Peter Butler
Forum Replies Created
-
Hey Wil –
That’s baffling. Do you, by chance, have a nonstandard wp-content location?
Hey Guys –
Sorry about the mess! I’m guesing this is because you’re working on Windows servers – the plugin should ignore its own files, but on windows servers, it had trouble with that. Ive just released an up date that fixes the issue on Windows servers, so you should be set moving forward.
Thanks!
Forum: Plugins
In reply to: Timthumb Vulnerability Scanner Plugin INVALID ARGUMENTSorry guys – Version 1.52 takes care of this.
Thanks!
DMX, I at least verified that this happens on Windows installations, but I’ve updated the plugin to handle those properly – should be working now.
Thanks!
Sorry guys – the problem was that 2.8.10 looked older than 2.8.5 (because 1 is less than 5, rather than 10 being more than 5) to the plugin.
Version 1.52, which was just released, should remedy the problem.
Thanks!
Should be fixed with 1.52. Sorry it took me so long to get to this, guys.
I almost forgot – For the last few versions (I dont know since when off the top of my head), timthumb has allowed for a config file, named timthumb-config.php, and stored in the same directory as your timthumb instance, to override default timthumb settings.
By using this, you can maintain any settings you’d like, without having to worry about updates overwriting them.Unfortunately, I can’t really find any documentation or examples right now – but here are 2 things to get you started:
https://code.google.com/p/timthumb/issues/detail?id=318
https://timthumb.googlecode.com/svn/trunk/timthumb.php (start reading at “— TimThumb CONFIGURATION —“
Hope that helps!
Unfortunately, at this point, the plugin isn’t smart enough to maintain settings, only to update the file to the latest version, so you’ll have to reset these defaults yourself.
Maintaining them shouldnt be impossible, however – I’ll look into the feasibility of not overwriting them.
Sorry about that, (big) oversight on my part. It is fixed with version 1.51.
Alright guys, you should start seeing requests to update the plugin on your sites shortly, as the new version is live. The new version should fix the issue where the timthumb src file would not update (so vulnerable/outdated instances would not update either). This version also includes a daily scanner, which runs by default – you can turn it off on the options panel of the timthumb scanner page.
As always, it would be a huge help to me if you could alert me to any bugs or annoyances you find in the plugin, so I can get them taken care of asap.
Thanks!
Hey Guys –
Really sorry about this – I got wrapped up in some other work and wasn’t able to get back to the plugin. I’ve identified and fixed the problem, along with a couple of other new features, and I’ll be releasing an update by the end of the day.
Thanks for your patience!
This is sort of a loaded subject. The main vulnerability, which caused all of the issues, is fixed as of version 2 – so version 2.8 is much safer than anything under version 2. However, there was some concern around the way even 2.8 sanitized some input, and it wasn’t as secure as it COULD be. That was fixed as of version 2.8.2.
So: is version 2.8 vulnerable? Not in the way pre-2.0 versions were – however, to be absolutely safe, it’s a good idea to be running 2.8.2 or above.
A couple of points:
The script that was keeping the version up to date (which should now have been returning version 2.8.5) had an issue, and wasnt keeping up. That’s been fixed, so you should start seeing 2.8.5 as the latest available version (although, depending on when you lat ran the scanner, it may be a day or so before the latest version value updates. Deactivating/reactivating should force an update).
As for your other issue – that’s trickier – it’s possible that the plugin didn’t download the latest version like it was supposed to. The plugin comes bundled with 2.8.2, but the latest version SHOULD be downloaded as soon as the plugin sees that there’s a new one available. However – that process isn’t foolproof.
Try deactivating and reactivating, and let me know if that makes any difference.
THanks!
Hey Guys –
When the plugin is first activated, it sends a request to my server to retrieve the version numbers for the latest version of timthumb.php, and the latest one with no known security vulnerability. I’m guessing the errors you saw were related to not being able to make the connection. If it can’t make the connection, the plugin defaults to the latest version when the plugin was released (2.8.2), so you should be fine for now.
I’ll look into suppressing those errors on activation for the next version.
Thanks!
@madaboutu – no, not normal, but I haven’t been able to figure out exactly why it happens yet. Regardless – just don’t replace those files – the rest of the scanner should work just fine.
Thanks!
Peter