@neuroitc
I’m curious as to what security rules/filters are being triggered by your requests to async-upload.php
I experienced an error as well when using WP 2.5 to upload to the media gallery. After some debugging I found the reason for this error is simply because async-upload.php is sent the uploaded file via a POST from an swfupload.swf file, which doesn’t have support builtin to send HTTP Basic Authorization.
I am really curious how the above code fixes the problem, I haven’t had any problems with my mod_security. Could you please do this to help me out?
- create a file called
modsec_audit.log
and chmod 666
- add the code below to your
.htaccess
- try to upload an image to make the image occur again
<IfModule mod_security.c>
SecFilterEngine On
SecFilterCheckURLEncoding On
SecFilterCheckUnicodeEncoding Off
SecFilterScanPOST On
SecAuditLogParts ABCDEFGHZ
SecAuditEngine RelevantOnly
SecAuditLog /fullpathto/modsec_audit.log
</IfModule>
Now the modsec_audit.log will explain what rule the request is matching.
Or you can just upgrade to the newer version and see if it works for you.
Hi, aa –
I am wondering if you could comment on the fix for this problem listed on this thread: http://wordpress.org/support/topic/165038?replies=12
- Are there security issues with disabling mod_security this way?
- Do I understand correctly that the new version (3.6.3) of your plugin fixes this particular image uploader problem?
Thanks!
Circle-
1. Not really, most bloggers don’t even know what mod_security is, and even fewer actually do have it.
The one thing that gives me pause is that it opens up a pathway for attackers to push their exploits because mod_Security won’t be turned on. And also this asnc-upload.php script has some features that lower its overall security and make it easier to successfully exploit in terms of cookies and state tracking.
2. Yes the version I released this morning completely fixes this.
Although I allowed access to the file itself, which does create a small hole in the password protection of the admin dir, mod_security is still 100% doing its thing.