HostGator (Apache 2) mod_security rule about timthumb HOT 39 CLOSED

Yes, I would appreciate an update on this as well. 

poor web hosting, even I have relleser there, they don't want to solve this 
matter.

I'm using Lypha Hosting. but this script doesnt work there aswell. :S

Does anyone have a link to a website where this happens?

I've not seen the problem so would need ftp access to an account using it so 
that I 
can try to work out a fix.

If anyone wants me to look then make a support request here - 
http://binarymoon.mojohelpdesk.com/tech - with your ftp details and I will take 
a 
look

i cant use it at http://www.platech.com.tr/tr/bolumler/urunlerimiz

but i can use http://www.erkangenc.com/tr/bolumler/urunlerimiz

both are have same code but different servers.

Have we gotten a fix for this yet?

Can you even tell me what I need to tell hostgator so they get this fixed? 
because I 
just had them whitelist the mod_sec on my domain and it didn't help.

can someone try the latest version of the files? I still haven't been given 
access to
a server that is having this problem so I have no idea if it's fixed or not but 
I've
made changes recently which may help.

Hi,

I tried this using version 1.07 on my HG server and it doesn't work.

Hi,

I tried version 1.07 in HostGator, the first time with this usage:
[...]/thumb.php?src=http://www.-.com/wp/wp-content/[...]  and it didn't work.

So i contacted HG support and then replied with:

"I have whitelisted mod security rules causing this issue. Please let us know 
if you
continue to have issues with thumbnails on wordpress."

I tried again but it didn't work, so I tried modifiying the path without the 
domain
this way:  [...]/thumb.php?src=/wp/wp-content/[...]  and it works on hostgator.

timthumb.php was renamed to thumb.php.

Hi Manu

Can you please tell me where you changed the path information without domain 
details?
 I have host gator and have been working on this issue for about a week without
resolution.

Any assistance apprecaited

Ian Kelly

I'm also using Host Gator and I'm looking for a solution, could you please say 
Manu
where did you modify the settings?

Hi All

I got the following response overnight from Host Gator, it has fixed the 
problem for
me, but does not assist for any future installs / theme updates.  If anyone more
technical then i could explain what the may have done that would be apprecaited

-------------------------
"Hello,

There was a problem with your initial theme install ontop of the mod_sec rules.
Permissions were set wrong which i have changed and the rules that were 
blocking your
theme have since been whitelisted. Thank you for your patience in this matter."
-------------------------

Regards

Ian

Hi,

Host Gator have been very good and responsive, basically for each site, simply 
ask
them through support to complete the following

add following rules [ 1234234,340151 ] to mod_security for www.yourwebsite.com
Please whitelist for the domain

And you'll be sorted

Regards

Ian

quot: [Hi,

Host Gator have been very good and responsive, basically for each site, simply 
ask
them through support to complete the following

add following rules [ 1234234,340151 ] to mod_security for www.yourwebsite.com
Please whitelist for the domain

And you'll be sorted

Regards

Ian
]



Hi there,

I had the exact same problem with a free theme from WooThemes and contacted 
HostGator
and asked them to do exactly as you said and it worked.

Thank you

Remi Vladuceanu
http://www.remivladuceanu.com 

I too just got HostGator to whitelist the sec rules, they also adjusted 
permissions
and the best I can tell they changed the cache folder and the theme folder back 
to
755. After they white listed the sec rules the fix didn't work until I 
contacted them
a second time where they reset the permissions.

As far as telling them what you need ... just let them know you have a WordPress
theme that uses TimThumb script and it's returning 404 errors on images, give 
them a
link to one of the 404's and they will be able to go from there. (they may not 
even
need that much information)

Hope it helps others as I spent nearly 12 hours troubleshooting every known
possibility as well as a few re-installs of the theme.

Good luck and thanks for a great script.

Scott Prock - @ScottProck
http://eTweeple.com

Hostgator will whitelist any modsec rules that you have from their live chat 
now.
There are typically 2, but sometimes 3 rules that need to be whitelisted.
340151 AND 340153 AND 1234234

As far as permissions go, they're running phpsuexec, so folders and script 
pages need
to be 755 at the highest to work properly, html pages need to be 644.

@tarosic I copy pasted what you said and they knew exactly what to do for it 
and did
it within seconds in the live chat, thanks!

[deleted comment]

This was posted on the WooThemes forum, so maybe it will be of help to somebody 
here:

Probably need to make this one a sticky post.

Here's the deal. Apache is the actual software on your server that spits out 
your
files, and has been designed to accept add-in modules, similar to adding things 
to
Firefox, you add "modules" to Apache to do certain things.

Hostgator has installed a special module in their servers to kill spammers, 
rootkits,
security violator and server rapers.

Yippeee! It's a part of the apache web server called "mod sec" - i.e. "module
security". mod_sec is kinda tricky to configure, and it's best left to rocket
scientists, and Hostgator went out and got some easy config software from these
people to set up mod_sec so that it kills bad things and lets good things pass:

http://www.atomicorp.com
Atomicorp (Gotroot.com) ModSecurity rules
Just In Time Patches for Vulnerable Applications Rules for modsec 2.x
Created by the Prometheus Group (http://www.prometheus-group.com)
Copyright 2005,2006 and 2007 by the Prometheus Group, all rights reserved.
14121 Parke Long Court
Suite 220
Chantilly
Virginia
20151
E-mail: [email protected]
Telephone: 703-266-6006
Fax: 703-266-6007

The software uses special filter files called "rule sets" like you would
find with firewalls - very programmer oriented - ya gotta be a programmer to
understand most of it.

Their rule sets work with Apache's mod_sec to do the security on your server.

Like any security mechanism, sometimes the guy with the gun is clamping things 
down
too tight, for good reason, but winds up killing something you need.

QUICK FIX TO GET YOUR THEME WORKING - You need to have sysadmin skills to
do this - so this is for people like the guy who wrote this post who knows what 
to do
if they know where to go - the rest of you will will need to contact Hostgator 
to
have them do the rest of this.

By disabling the ruleset in /opt/mod_security/modesecurity.conf by commenting 
it out,
and restarting apache your images will magically appear.

Below, you'll see 10_asl_rules.conf commented out with a #, essentially not 
including
it in the file load when mod_sec gets loaded.

Include /opt/mod_security/00_asl_whitelist.conf
Include /opt/mod_security/10_asl_antimalware.conf
# Include /opt/mod_security/10_asl_rules.conf
Include /opt/mod_security/20_asl_useragents.conf
Include /opt/mod_security/30_asl_antimalware.conf
Include /opt/mod_security/40_asl_apache2-rules.conf
Include /opt/mod_security/50_asl_rootkits.conf
Include /opt/mod_security/60_asl_recons.conf
Include /opt/mod_security/98_asl_jitp.conf
Include /opt/mod_security/99_asl_jitp.conf
Include /opt/mod_security/whitelist.conf

Restart apache ( at the server's root prompt

#apachectl stop

(you'll see some server daemon shutdown messages)

#apachectl start

Now, that'll kill the ruleset for the moment and get you operational, but 
really you
want that ruleset working for you.

You would want to go in and edit out the rule that kills
thumb.php - good luck and then restart apache again.

Perhaps someone else knows which rule this is ... 

I also had the same problem, the image resizer function (timthumb.php) of the 
theme I
used with wordpress didn't work. Even I set the cache folder in Hostgator to 
have
permission to read and write already.

After I read the comment of this site
(http://premiumthemes.net/theme-support/tips-n-tutorials/image-not-showing-up-tr
oubleshooting-image-resizer-thumbphp.html)
and do what it say.

I did Live Chat with Hostgator, they took around 30 minutes to resolve the 
problem,
finally it works. See how it works go to http://www.buythischeapnow.com

HOST GATOR WILL GET IT WORKING REFER THEM TO THIS PAGE AND HAVE THEM LOOK AT 
COMMENT 16

anyone know how to get it work if i am not with hostgator? but i am running 
centOS 
with cpanel/whm and apache here.

what must i put into the mod_security configuration?

thanks in advance!

If you have only one or two websites, or don't work with any clients, chatting 
with
HostGator is all fine and dandy. But, if you have a lot of sites (not just all 
on the
same shared hosting account) or if you work with clients who choose the hosting 
and
how it gets configured, that isn't really a solution that is workable.

Does anyone know what exactly in the mod_sec rules is being violated? It seems 
odd
that a plug-in like this would trigger any of these kind of rules. I'm betting 
it is
one step that is just a tad too clever and if we could tweak it, then this whole
issue could go away for everyone (theme developers, site owners, consultants, 
etc...)

Or, if we are 100% sure that this all works as intended, then we could start 
asking
HostGator to make the modifications necessary by default on all installs of 
WordPress.

since this seems to be an issue with the host rather than the script I will 
mark it
as fixed.

Have the same problem with timthumb and hostgator, just chat with their support 
and 
they fix it in less than 5 minutes..great!!!

[deleted comment]

I am having this same issue, but when I contacted hostgator and referred them 
to the
information here they said they tried all of it, but the problem is persisting! 
They
said :
 I apologize Jessie, the issue appears to be with the script of the theme itself
rather than mod_sec now. The mod_sec issue was fixed, and I even ran it by an 
admin
and they said the same thing. I'd talk to them and have them figure out why 
they're
script doesn't load from the thumb.php file properly.

Can anyone help me? my blog is at morrisfisherblog.com

jessie - why don't you post in the WooThemes forum if you are using a WooTheme? 
Your
thumbnails are working though http://is.gd/5V1Ia

This saved me from bashing my head into my computer out of frustration. Thank 
you!

I also hit this problem yesterday. Started a new hostgator chat, told them 
simply that 
"An apache mod_sec rule is preventing a script (timthumb.php) from running on 
my site. 
Could you please whitelist my domain so it is allowed to run?" and it was 
resolved in 
minutes.

I should also note that the script is pulling the full image URL (including 
http://) and 
generating everything just fine. You can see it in action here: 
http://seedplanted.org

[deleted comment]

Thank you for information, this is is great! I host at hawkhiost and ask them 
to read
this thread as they also clear mod_sec rules for the domain, and it works.
AS you can see at http://taxbanking.com but inage on old posts can't be seen

http://www.google.com/url?sa=t&source=web&ct=res&cd=3&ved=0CCEQFjAC&url=http%3A%
2F%2Fwww.elegantthemes.com%2Fhostgator.pdf&ei=gRPqS4GNOIG0lQeXo4TVCg&usg=AFQjCNE
4jyl9gTJRQfZy-z_8nSaKZOkoSg&sig2=TT_gC-iwGQEf_bwUpvla_g

i got some problem with thumbnail at my site. i have change the chmod 
permission for the file, but it doesn't running well done. any one could 
suggest me some idea ? please feel free to find it at http://www.onlinejolie.com

thanks much 4 your advice.

i purchased the template VIDEOZOOM and I am hosted with hostgator, I contacted 
them about changing the permissions like it said in the thread and they said 
they do not taper to third party scripts. I'm locked in with them for a year so 
is there any other solutions or can i get a refund for the template?

I am on hostgator as well. They said it's all in the script.

Usually its only a mod_security rule that needs to be whitelisted, if you 
havent installed and configured the script correctly then there is nothing your 
host can do to resolve this.
mod_security helps protect websites from injections, poor webhosting is when 
your website gets hacked over and over because the server didnt have 
mod_security installed and somebody found a hole in your beloved contact form 
that you made yourself or copied the code from the net.

how to fix my site from this error? can somebody explain me easily and simply 
how to do this thing?

Gatohost alread know this issue, found this for easy fix,

http://support.hostgator.com/articles/specialized-help/technical/timthumb-basics

Just ask for it from their support.