We live in a world where some people do evil. It is sad that the rest of us have to pay for it.
Yesterday, we noticed that DukaPress’ Tim Thumb script was not working properly on some sites. For some weird reason (unkown to us at that time), the timthumb script was suddenly not accessible and could not re-szie images properly, thus breaking them. On further inspection, we noticed that all these sites were hosted at www.hostgator.com. After discussions with Hostgator, we found the problem. here is part of Hostgator’s response to us:
The issue is that we updated one of the mod_sec rules. It is true that we’ll need to whitelist any domain that is using this script, so be sure to list all domains and subdomains that may be using the script so we can make sure they are whitelisted ASAP. I’ve gone ahead and taken care of those you listed in your reply.
It is correct that all sites running this script that we host will fail unless we whitelist the site against the rule. The rule blocks RFI attacks and cross-site scripting because it can be used in a malicious manner, however there are legit scripts that use the mechanism, such as timthumb, ergo sites that use that script need to be whitelisted against the rule.
We apologize for not giving fore-warning about this update and we want to work with you to make sure your sites are running correctly ASAP, so please list any other sites that you have that may use this script.
This means that DukaPress will not work properly on Hostgator unless you contact them to whitelist against one of the mod_sec rules on their servers. This issue may also happen with any other web host that has these rules activated. It also may mean that timthumb will not work anywhere else, not just in DukaPress.
Please contact your web host should you have a weird inexplicable problem with images re-sized by timthumb on DukaPress, or anywhere else.
One can hardly blame the web hosts – they have to ensure security. It’s the bad guys out there to blame.