Peter Butler

I’m guessing (hoping) that’s the case, as I’m running out of ideas for how that could happen. Still – keep me updated if you run into the issue (or any other issue) – it’s a big help to me.

Thanks!

Hey Sneader – On the site that had the problem most recently – did you upgrade to 1.42, have the problem, and then upgrade to 1.43, and continue seeing it until deactivating/reactivating?

This is an issue with php 4 servers. I can get you a copy that will work for php4, but your best bet is really to get your server updated to php5.

If you really need a copy that will run on php4, send me a message from my contact form (click my name to get to the site).

Sorry about that! Made a silly mistake while committing the new version.

Versions 1.42 and greater fix this problem.

Hey Sneader –

First of all, thanks for all the help – it’s hugely appreciated.

As for your issue: THe plugin has to go out and check for the latest plugin version, and it looks like my error checking logic is less than stellar if something happens (i.e. for whatever reason, the request doesn’t work). I’ve got a fix in the works that should ensure you never end up in your situation (empty “latest version” and “safe version” values), but in the meantime, try deactivating and reactivating the plugin. That should clear your data and then request those values again (on reactivation) – so, assuming the reason the request didn’t work last time is not persistent, you should get good data.

I should have an update out that does a better job of handling this tomorrow sometime.

Thanks!

My inexperience with SVN strikes again. Unfortunately, I managed to not add in a few files to the SVN repository. They’re in there now, in version 1.42 – but that might not update on www.ads-software.com for a few minutes (or maybe a few hours).

Thanks so much for pointing this out to me – who knows how long I would have gone before realizing.

That’s not good. I’ll see what I can find out.

Hey Guys –

Sorry I was so late on this – it ended up being a bigger update than I expected, but I’m pretty excited about the result.

Sneader, to answer your questions:
The way the plugin works now (as of version 1.4) is that it sends out a request to find out what the latest version of timthumb is (it checks this every time you load up the scanner page, but no more than once a day). If, based on that updated information, you have out of date code on your site, you’ll be notified, and you can automatically update to the latest version, which will be downloaded from the code’s official home at google code.

I really wanted to get this out today, so hopefully I didn’t rush it too much – if you notice anything wrong, please let me know.

Thanks!

Hey Guys –

Sorry, I got wrapped up last week, and didn’t get to this. I’m working on it now, and I anticipate having the update online by the end of the day tomorrow.

Bob – Yes, I’ll set it up to patch anything earlier than the most recently available version.

So it is. While the problem isn’t nearly the same magnitude that the original problem was (especially taking into account the extra security in how cached files are saved) it IS less than ideal. I’ll have the scanner update submitted by the end of the day. Thanks for alerting me to this!

Also, I think I read that by default, allow_external is now false, which solves your other concern.

I don’t, however, see a clear path for either of these problems to be used to actually gain access to a server, so implying that 2.7 is as insecure as ever is just not true (as far as I can tell). Can you theorize a hack that could get around the cache security settings in order to execute code on the server? I’d be interested to hear it.

Thanks again!

Sounds like a bug – the scanner file WILL match itself (and therefore flag as vulnerable), but it should be set to skip over scanning that file. I’ll try to take a closer look at what could have caused the issue you saw. If you’ve got any info you can share, I’d love to hear it. THanks!

While I haven’t reviewed the code changes myself, I trust the (many) people who have been involved in the work on timthumb since the vulnerability was discovered, and I trust when they say the vulnerability that has caused so many problems is solved in versions 2.0 and greater. I will, however, try to find some time to sit down and review the code to see if I can corroborate what you’re saying. I’d love more info on the particular vulnerability you’re referencing (half-capable domain squatters?), if you’ve got the time to share it (you can email me if you prefer – contact form on my site).

WIth that said, having the plugin download the latest version from google code isn’t a bad idea – I’ll give it some thought.

The goal of the plugin is not to make security decisions for people, it’s to make sure they’re aware of and have upgraded timthumb – so I’m not interested in switching default settings while upgrading.

Voodoo is right – php5 is the way to go. The only reason I brought it up was because WP now requires PHP5, and when users don’t use it, problems manifest themselves in some weird ways. Because Godaddy tech support was mentioning a php5.ini file, I was wondering if he was trying to get you to switch TO php5 (like maybe you were currently on php4).

Regardless, it sounds to me like the problem is specific to Windows hosting on godaddy. I’m not sure if it’s in your control, but I definitely think it would be worth looking into switching over to linux. For the average site, there’s no reason I know of to be on windows – and there are plenty of reasons to be on linux.

The biggest red flag to me there is that it’s a windows server. Maybe that has something to do with it? Is anyone successfully running the latest version of timthumb on a linux server hosted with godaddy?

I assume by setting up a php5.ini file, he’s saying set up this server to run on PHP5 – but the last couple of versions of wordpress have required php5 (I think) – you’d be having a number of other problems if you were running php4. In fact, I think the scanner plugin requires php5 – I think I use some class stuff that didn’t exist in php4.

At the end of the day, it basically boils down to the fact that your host isn’t going to make this happen for you – so you can either spend some time or money figuring out WHY timthumb won’t work on godaddy’s servers, and try to get around it, or you can switch to a new host. Or, option 3, stop using timthumb. None of those are great options, I know – but I think that about covers it at this point.

It’s got to be something to do with your server – I’m just not really sure what could be causing the problem. I’d be surprised if it’s godaddy blocking it at this point – blocking files with the same content but different names seems a little intrusive for a host.

Hah – I just did a quick google and found you on stackoverflow – I was just about to point you at that thread…

As somebody else in that thread pointed out – maybe it’s something to do with PHP GD (php’s graphics library)?

Looks like this is some code to check if GD is installed:

<?php
if (extension_loaded('gd') && function_exists('gd_info')) {
    echo "It looks like GD is installed";
}
?>

I havent tested it myself, but it looks good. Maybe give that a go?