[Plugin: AskApache Password Protect] Image upload error when aapass is active

  • neuroitc

    (@neuroitc)


    16 years ago

    I encountered this problem when i have the plugin installed and actived. I set also, as i had the problem the same before installing, fix in .htaccess in wordpress root:

    <IfModule mod_security.c>
<Files async-upload.php>
SecFilterEngine Off
SecFilterScanPOST Off
</Files>
</IfModule>

    If i don’t enable aapass with the fix above, all works correctly but if i active aapass, it returns me old upload image error.
    Any suggestion? Thanks

    http://wordpress.org/extend/plugins/askapache-password-protect/

Viewing 3 replies - 1 through 3 (of 3 total)
  • askapache

    (@askapache)

    16 years ago

    @neuroitc

    I’m curious as to what security rules/filters are being triggered by your requests to async-upload.php

    I experienced an error as well when using WP 2.5 to upload to the media gallery. After some debugging I found the reason for this error is simply because async-upload.php is sent the uploaded file via a POST from an swfupload.swf file, which doesn’t have support builtin to send HTTP Basic Authorization.

    I am really curious how the above code fixes the problem, I haven’t had any problems with my mod_security. Could you please do this to help me out?

    1. create a file called modsec_audit.log and chmod 666
    2. add the code below to your .htaccess
    3. try to upload an image to make the image occur again
    <IfModule mod_security.c>
SecFilterEngine On
SecFilterCheckURLEncoding On
SecFilterCheckUnicodeEncoding Off
SecFilterScanPOST On
SecAuditLogParts ABCDEFGHZ
SecAuditEngine RelevantOnly
SecAuditLog /fullpathto/modsec_audit.log
</IfModule>

    Now the modsec_audit.log will explain what rule the request is matching.

    Or you can just upgrade to the newer version and see if it works for you.

    CircleReader

    (@circlereader)

    16 years ago

    Hi, aa –
    I am wondering if you could comment on the fix for this problem listed on this thread: http://wordpress.org/support/topic/165038?replies=12

    1. Are there security issues with disabling mod_security this way?
    2. Do I understand correctly that the new version (3.6.3) of your plugin fixes this particular image uploader problem?

    Thanks!

    askapache

    (@askapache)

    16 years ago

    Circle-

    1. Not really, most bloggers don’t even know what mod_security is, and even fewer actually do have it.

    The one thing that gives me pause is that it opens up a pathway for attackers to push their exploits because mod_Security won’t be turned on. And also this asnc-upload.php script has some features that lower its overall security and make it easier to successfully exploit in terms of cookies and state tracking.

    2. Yes the version I released this morning completely fixes this.

    Although I allowed access to the file itself, which does create a small hole in the password protection of the admin dir, mod_security is still 100% doing its thing.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘[Plugin: AskApache Password Protect] Image upload error when aapass is active’ is closed to new replies.