Firewall – Malicious File Upload (PHP) blocking users from uploading images

  • Resolved simon1970

    (@simon1970)


    8 years, 1 month ago

    Hi,

    I’m in the middle of trying to make my WordPress/BuddyPress site more secure. I have run WordFence for a while with no problems but today I notice that non-admin users cannot upload images to the site anymore. An HTTP error occurs when a non-admin uploads a photo.

    I narrowed it down to the last entry in the firewall settings – the Malicious File Upload (PHP) entry. When I deselect this setting the problem is fixed, though this is making the site much more vulnerable to malicious files.

    Is there a way to fix this issue so that I can keep the last firewall entry selected?

    Thanks!

Viewing 14 replies - 1 through 14 (of 14 total)

  • Hi simon1970,
    We are aware of this issue and our team is working on it, in case there is any update regarding this one, I will let you know.

    Thanks.

    Thread Starter simon1970

    (@simon1970)

    OK, thank you ??

    Hi, same here. My contributors have not been able to upload photos, site for online news.
    Please remove/fix it as soon as possible.

    Thanks, Miroslav

    We’re experiencing a similar issue.

    Admin level users are able to upload any files with no issues at all.
    Max upload size is set to 100M.

    Lower level users who have permission to upload in Media Library experience the following: They can upload any file except when they exceed 12M-ish. If greater, a ‘HTTP Error’ shows up.

    When deactivating Malicious File Upload, lower level users are able to upload large files again.

    Clement Gonnet

    (@renoovodesign)

    Update:

    If the user role is a WordPress Core role, everything works fine.

    However, if user is under a custom role – in our case created using AAM – then it breaks.
    Just to be sure, the upload_file capability is definitely granted to the custom role.

    Deactivating both these rules prevents the HTTP Error whilst putting the site at risk.
    Malicious File Upload (Patterns)
    Malicious File Upload (PHP)

    Authors, please can you investigate?

    Wordfence 6.2.5
    AAM 3.8.2

    wfalaa

    (@wfalaa)

    Hi Clement,
    I think in this case you will need to choose “Learning Mode” for “Firewall Status” under (Wordfence > Firewall) then try performing the same action you were doing while being logged in with this custom user role and the Firewall will learn to whitelist this action in the future, you should be able to see that in “Whitelisted URLs” section at “Firewall” page. After that you can revert the Firewall Status back to “Enabled and Protecting”.

    Thanks.

    I have changed status to Learning Mode, re-tested the upload but I still get the HTTP error.

    Also, no rules are being added in the Whitelisted URLs section.

    Is there something else I should be doing?

    Hi Clement,
    Please log in your website with this “custom role” user and try to upload the image then take a screenshot for the error you will get and share it with me here in the forum or at “alaa [at] wordfence [dot] com”.

    P.S. can you see this request blocked by firewall in (Wordfence > Live Traffic)?
    hint: you can set the “Firewall Traffic” to be filtered by “Blocked by Firewall”, also you should be able to whitelist this action directly from there.

    Thanks.

    • This reply was modified 7 years, 11 months ago by wfalaa.

    WP Dashboard HTTP Error

    Nothing shows in the Live Traffic

    You can only see this error message on the “Live Traffic” page, nothing else?
    It could be another plugin conflicting with the “Live Traffic” page, so I suggest -temporary- disabling all your other plugins installed and re-check this issue.

    Keep me updated,
    Thanks.

    To clarify, this error appears when I upload a large mp3 file to the Media Library.

    I have deactivated all plugins but Wordfence.
    Firewall is in Learning Mode with Malicious File Upload (Patterns & PHP) rules enabled.

    But the following issue still remains:
    If user is under a custom role – in our case created using AAM – then HTTP error appears when trying to upload a large mp3 file via the upload page (/wp-admin/media-new.php).

    In the Chrome Console, this error is returned: /wp-admin/async-upload.php 500 (Internal Server Error)
    This seems to happen on mp3 files that are larger than 12MB. Smaller files are uploaded just fine.

    No option to whitelist is given to me. No record is shown in the Live Traffic either.

    If I deactivate Malicious File Upload (Patterns & PHP), then large mp3 files can be uploaded by the custom role user.

    As long as there is a “500 (Internal Server Error)”, then you can check your server log files for more information about this error, this would be definitely helpful, I suggest checking (Wordfence > Diagnostics => Log Files) if you don’t know where are the error log files on your server.

    Then try uploading the same file again and watch for any related error message in the log file.

    Thanks.

    Thread Starter simon1970

    (@simon1970)

    Hello,

    I am the user who first posted this question. I just tested for the problem again and notice that it has now been resolved, however I have discovered a new problem. When a user edits the title or description of a photo, the new changes do not save when the Malicious File Upload is checked in the Wordfence Firewall. I unchecked the setting and the photo title and description changes would then save as normal.

    Any ideas why this is happening? I would like my users to be able to edit the titles of their photos.

    Thanks,

    Simon

    Thread Starter simon1970

    (@simon1970)

    My apologies, I think it might be something to do with a caching plugin…

Viewing 14 replies - 1 through 14 (of 14 total)
  • The topic ‘Firewall – Malicious File Upload (PHP) blocking users from uploading images’ is closed to new replies.