Support » Plugins » [Plugin: AskApache Password Protect] Image upload error when aapass is active

  • I encountered this problem when i have the plugin installed and actived. I set also, as i had the problem the same before installing, fix in .htaccess in wordpress root:

    <IfModule mod_security.c>
    <Files async-upload.php>
    SecFilterEngine Off
    SecFilterScanPOST Off

    If i don’t enable aapass with the fix above, all works correctly but if i active aapass, it returns me old upload image error.
    Any suggestion? Thanks

Viewing 3 replies - 1 through 3 (of 3 total)
  • @neuroitc

    I’m curious as to what security rules/filters are being triggered by your requests to async-upload.php

    I experienced an error as well when using WP 2.5 to upload to the media gallery. After some debugging I found the reason for this error is simply because async-upload.php is sent the uploaded file via a POST from an swfupload.swf file, which doesn’t have support builtin to send HTTP Basic Authorization.

    I am really curious how the above code fixes the problem, I haven’t had any problems with my mod_security. Could you please do this to help me out?

    1. create a file called modsec_audit.log and chmod 666
    2. add the code below to your .htaccess
    3. try to upload an image to make the image occur again
    <IfModule mod_security.c>
    SecFilterEngine On
    SecFilterCheckURLEncoding On
    SecFilterCheckUnicodeEncoding Off
    SecFilterScanPOST On
    SecAuditLogParts ABCDEFGHZ
    SecAuditEngine RelevantOnly
    SecAuditLog /fullpathto/modsec_audit.log

    Now the modsec_audit.log will explain what rule the request is matching.

    Or you can just upgrade to the newer version and see if it works for you.

    Hi, aa –
    I am wondering if you could comment on the fix for this problem listed on this thread:

    1. Are there security issues with disabling mod_security this way?
    2. Do I understand correctly that the new version (3.6.3) of your plugin fixes this particular image uploader problem?



    1. Not really, most bloggers don’t even know what mod_security is, and even fewer actually do have it.

    The one thing that gives me pause is that it opens up a pathway for attackers to push their exploits because mod_Security won’t be turned on. And also this asnc-upload.php script has some features that lower its overall security and make it easier to successfully exploit in terms of cookies and state tracking.

    2. Yes the version I released this morning completely fixes this.

    Although I allowed access to the file itself, which does create a small hole in the password protection of the admin dir, mod_security is still 100% doing its thing.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘[Plugin: AskApache Password Protect] Image upload error when aapass is active’ is closed to new replies.