Auction Product Type : security leak found at tinythumb.php

[LadyoftheCave]

Goodmorning all.

I have a question. I recently installed the Auction Product Type. But now my hostingcompany told me that there is a huge security leak at tinythumb.php.

Do you happen to know how I can solve this?

Best Regards,

Sabine
Merlins Cave

[mc12345678]

Without much further information from the host, I did a brief review of the file and there are a few settings towards the top that may play a factor having to do with gathering information "offsite"... one of the default settings doesn't match a later "discussion" of being more secure. This includes the use of the cache directory which is created on the fly. Personally not entirely sure the importance of the actions taken by this file, but there are likely security improvements that can be made.

[barco57]

tinythumb.php is the timthumb image re-sizer script. Spend a little while reading the results of a google search for "timthumb exploit" to see why you shouldn't use it. timthumb has not been allowed to be bundled with a WordPress theme, from the official WordPress Theme Directory or ThemeForest, since about 2011 because of security vulnerabilities with the script.

[DrByte]

I think the fix is pretty simple:

1. /admin/auctions_manager.php
line 231 is:

Code:

                <td  class="dataTableContent"><?php echo zen_image(DIR_WS_ADMIN . 'images/auction_manager/tinythumb.php?src=' . DIR_WS_CATALOG_IMAGES . $auctions->fields['products_image'] . '&h=50&zc=0'); ?></td>

replace that with:

Code:

                <td  class="dataTableContent"><?php echo zen_image(DIR_WS_CATALOG_IMAGES . $auctions->fields['products_image'], $auctions->fields['products_name'], SMALL_IMAGE_WIDTH, SMALL_IMAGE_HEIGHT);

2. And then delete the entire /admin/images/auction_manager/ folder (which includes the old cached images and the tiny_thumb.php file).



If you find the images are now too large on the screen, you could replace SMALL_IMAGE_WIDTH, SMALL_IMAGE_HEIGHT above with 50,50 instead.



I've pushed a new release with ONLY this change in it: https://www.zen-cart.com/downloads.php?do=file&id=45

[LadyoftheCave]

Thank you all :) :)

[LadyoftheCave]

Thank you drByte, I have changed the code :)

[LadyoftheCave]

Thank you drByte, I have changed the code :)

Hi DrByte, I have find out that after changing the code. I cannot go to Catalog - Auctionmanager anymore. Then I receive a message that this page is not available,..

Best Regards,

[DrByte]

I think you've made an error. When I tested it after making those changes I was able to access the page without issue.

Might also be worth looking into your logs: http://www.zen-cart.com/content.php?124-blank-page

[LadyoftheCave]

I think you've made an error. When I tested it after making those changes I was able to access the page without issue.

Might also be worth looking into your logs: http://www.zen-cart.com/content.php?124-blank-page

Ok, I will try again :)