We live in a bad world

14

We live in a world where some people do evil. It is sad that the rest of us have to pay for it.

Yesterday, we noticed that DukaPress’ Tim Thumb script was not working properly on some sites. For some weird reason (unkown to us at that time), the timthumb script was suddenly not accessible and could not re-szie images properly, thus breaking them. On further inspection, we noticed that all these sites were hosted at www.hostgator.com. After discussions with Hostgator, we found the problem. here is part of Hostgator’s response to us:

The issue is that we updated one of the mod_sec rules. It is true that we’ll need to whitelist any domain that is using this script, so be sure to list all domains and subdomains that may be using the script so we can make sure they are whitelisted ASAP. I’ve gone ahead and taken care of those you listed in your reply.

It is correct that all sites running this script that we host will fail unless we whitelist the site against the rule. The rule blocks RFI attacks and cross-site scripting because it can be used in a malicious manner, however there are legit scripts that use the mechanism, such as timthumb, ergo sites that use that script need to be whitelisted against the rule.

We apologize for not giving fore-warning about this update and we want to work with you to make sure your sites are running correctly ASAP, so please list any other sites that you have that may use this script.

This means that DukaPress will not work properly on Hostgator unless you contact them to whitelist against one of the mod_sec rules on their servers. This issue may also happen with any other web host that has these rules activated. It also may mean that timthumb will not work anywhere else, not just in DukaPress.

Please contact your web host should you have a weird inexplicable problem with images re-sized by timthumb on DukaPress, or anywhere else.

One can hardly blame the web hosts – they have to ensure security. It’s the bad guys out there to blame.

14 Responses

  1. Anca says:

    This is a common problem w/ TimThumb – I’ve been seeing it since at least last fall when I started using themes and plugins that do Timthumb. Thanks for pointing it out on your site – it makes it easier to troubleshoot.

  2. 安心 says:

    This is my first time i visit here! I found so many useful stuff in your website especially its discussion! From the a lot of comments on your articles. I guess Im not the only one receiving the many satisfaction right here! keep up a good job.

  3. Shelly says:

    Is there an updated list of “approved hosting”?

  4. Superb blog post, I actually have book marked this net website therefore ideally I’ll see rather more on this subject within the foreseeable future!

  5. Manuel Lesa says:

    I in addition to my friends appeared to be viewing the best advice located on your site and so all of a sudden I got a terrible suspicion I never thanked the blog owner for those secrets. All of the young boys are actually absolutely thrilled to read all of them and already have actually been taking advantage of those things. Many thanks for turning out to be quite accommodating and for selecting variety of marvelous subject areas millions of individuals are really eager to be informed on. Our own honest regret for not expressing gratitude to you sooner.

  6. No joy with Dreamhost. Support hasn’t solved it yet. Anyone have any success with them? It’s a multi-user site.

  7. Steve Rush says:

    what about godaddy hosting, can I get my images to display correctly using their hosting?

  8. Tina says:

    Is this still an issue? How does this problem manifest? What will happen to the thumbnails? I am also on Host Gator.

  9. Alain says:

    Then, no way. Just to find another plugin ?

Leave a Reply

© 2014 DukaPress. All rights reserved.
Design By Madoido.