[Plugin: AskApache Password Protect] Image upload error when aapass is active (4 posts)

  1. Neuroitc
    Posted 8 years ago #

    I encountered this problem when i have the plugin installed and actived. I set also, as i had the problem the same before installing, fix in .htaccess in wordpress root:

    <IfModule mod_security.c>
    <Files async-upload.php>
    SecFilterEngine Off
    SecFilterScanPOST Off

    If i don't enable aapass with the fix above, all works correctly but if i active aapass, it returns me old upload image error.
    Any suggestion? Thanks


  2. askapache
    Posted 8 years ago #


    I'm curious as to what security rules/filters are being triggered by your requests to async-upload.php

    I experienced an error as well when using WP 2.5 to upload to the media gallery. After some debugging I found the reason for this error is simply because async-upload.php is sent the uploaded file via a POST from an swfupload.swf file, which doesn't have support builtin to send HTTP Basic Authorization.

    I am really curious how the above code fixes the problem, I haven't had any problems with my mod_security. Could you please do this to help me out?

    1. create a file called modsec_audit.log and chmod 666
    2. add the code below to your .htaccess
    3. try to upload an image to make the image occur again
    <IfModule mod_security.c>
    SecFilterEngine On
    SecFilterCheckURLEncoding On
    SecFilterCheckUnicodeEncoding Off
    SecFilterScanPOST On
    SecAuditLogParts ABCDEFGHZ
    SecAuditEngine RelevantOnly
    SecAuditLog /fullpathto/modsec_audit.log

    Now the modsec_audit.log will explain what rule the request is matching.

    Or you can just upgrade to the newer version and see if it works for you.

  3. CircleReader
    Posted 8 years ago #

    Hi, aa -
    I am wondering if you could comment on the fix for this problem listed on this thread: http://wordpress.org/support/topic/165038?replies=12

    1. Are there security issues with disabling mod_security this way?
    2. Do I understand correctly that the new version (3.6.3) of your plugin fixes this particular image uploader problem?


  4. askapache
    Posted 8 years ago #


    1. Not really, most bloggers don't even know what mod_security is, and even fewer actually do have it.

    The one thing that gives me pause is that it opens up a pathway for attackers to push their exploits because mod_Security won't be turned on. And also this asnc-upload.php script has some features that lower its overall security and make it easier to successfully exploit in terms of cookies and state tracking.

    2. Yes the version I released this morning completely fixes this.

    Although I allowed access to the file itself, which does create a small hole in the password protection of the admin dir, mod_security is still 100% doing its thing.

Topic Closed

This topic has been closed to new replies.

About this Topic