FancyUpload Possible mod_security conflict with Plesk

[orware]

So I'm trying to use Joomla 1.5's new FancyUpload capability, which allows you to upload multiple files at once (like you see on a lot of the newer sites, especially the video sharing ones), but on my Plesk server it seems as if there is a possible conflict with mod_security that does not allow the files to be uploaded and gives me a 403 error when uploading.

The problem is mentioned on the FancyUpload site:
http://digitarald.de/project/fancyupload/

and in various Joomla Forum threads related to the topic:
http://forum.joomla.org/viewtopic.php?f ... 0#p1274856

The fix asks the user to add the following two directives to their .htaccess file:
SecFilterEngine Off
SecFilterScanPOST Off

But in my case when I add these to my .htaccess file I begin getting 500 errors when trying to access any part of my Joomla site.

I'd just like this feature to work, because it makes life so much easier for users, but when using Plesk I do not why it does certain things so I'd like to find a real resolution to this issue because if it affects my Plesk server it is probably also affecting other Plesk servers as well and any others using Joomla on a Plesk server would probably appreciate it if they could use the FancyUpload feature .

[aus-city]

This disables mod-security and do you really want to disable mod-security off the site?

[breun]

Did you send a false positive for this event from the ASL web interface? The ASL rule gurus are usually pretty fast at adjusting their rules when false positives occur.

[orware]

Actually I'm not using ASL so I cannot use the web interface this is just with a stock Plesk install. It just bothers me that it is something that does not work with Plesk when I know my other server running cPanel doesn't have any trouble.

I've contacted Parallels Support on the issue, but their support has been pretty slow/not useful recently but I'll see how it goes with this problem.

Thanks for your replies,

[breun]

If the solution is to disable mod_security then I guess the problem is not with Plesk (as that doesn't come with mod_security). Have you checked your logs for those 500 errors?

[scott]

yeah 500's are internal server errors, not related to mod_security.

[orware]

My error log file is huge it's about 1.29GB so I've been having some trouble getting to the point where I can see the errors from yesterday. I'm currently splitting the file into smaller chunks so that I can read it more easily.

The 500 errors were due to me adding the two mod_security directives into my .htaccess, but if as was mentioned, Plesk does not come with mod_security by default, then that is probably why I encountered those 500 errors.

The real errors that I'll need to look for are the 403 errors that were given when files were uploaded using the FancyUpload feature. I think it may be due to the fact that it is a .swf file that is doing the work here so perhaps the Adobe Flash Player useragent or something is being blocked, but I don't really know because nothing I read provided a conclusive fix besides adding those two directives (but it looks like that fix doesn't apply in my case).

I'll be back in a few minutes with more information from my error_log.

[breun]

An error_log of 1.29 GB sounds like you're either not rotating logs or you have a *lot* of errors on your site.

Yes, on plain Plesk install doesn't come with mod_security and adding those mod_security directives when mod_security is not installed is probably causing those 500 errors.

[orware]

OK, I've looked through a few of the error_logs and I found the following when in relation to one of the directives I added:

Code: Select all

[Tue Aug 05 14:39:23 2008] [alert] [client X.XX.X.XX] /var/www/vhosts/imperial.edu/subdomains/labs/httpdocs/.htaccess: Invalid command 'SecFilterEngine', perhaps mis-spelled or defined by a module not included in the server configuration

So I'm pretty sure mod_security is not installed, but then this leaves me in a difficult position because all of the fixes related to the 403 error for the fancyupload stuff all have the same conclusion: mod_security is causing the problem so you need to add those two directives to make it work. But, if I don't have mod_security then it must be something else that is causing the problem? Also, in my error_logs I couldn't find any references to the 403 errors that I was being given (it sort of seems like the error_log is not recording them)

As I was writing the above, I thought for a second that maybe the swf file needed additional permissions (maybe 666 or 777 rather than its current 644), so I went and I changed the permissions to 777 and the uploads worked. So then I went and changed them to 666 and they still worked, then back to 644 and it continued to work, which is pretty weird, because it was certainly not working yesterday and I have not done anything to any configuration anywhere.

I am glad that it works now, but I am also confused about why now and not yesterday because I wanted to have a repeatable solution that could be shared.

[orware]

So I continued looking into this and it looks like the problem was entirely due to the BadBehaviour plugin which blocked the Shockwave Flash user agent because of it's potential usage by spam harvesters. Opening up the blacklist file and commenting out that line fixed the problem on the other site. This also appears to be the same fix to apply to a Wordpress 2.5+ installation that is using the BadBehavior bot.

Well, I'm glad that problem's solved, but sorry for stirring things up by thinking it was mod_security.