Flash Uploader Error

I was using YUI Uploader for a personal project and it works very well on my development notebook and server. However when the code is live on the server the Flash uploader failed with this error message:

[IOErrorEvent type="ioError" bubbles=false cancelable=false eventPhase=2 text="Error #2038"]

After a while I realized that it must be something server-side because when I used WireShark to see the traffic the server returns Error 500. The traffic is not captured by Firebug because it is Flash traffic.

The culprit is ModSecurity, a third party module used by most hosting companies. ModSecurity is a web application firewall that can work either embedded into Apache or as a reverse proxy.

A quick fix to allow uploads is to include these in the .htaccess file. These handle different Apache and ModSecurity versions and since we include the IfModule directive if the module is unavailable no error will be thrown. This relieves the need to consider what version of Apache and ModSecurity is used on the server.

For this example the script that handles the upload is named upload.php.

# Apache 1.x and ModSecurity 1.x
<IfModule mod_security.c>
   <Files upload.php>
      SecFilterEngine Off
      SecFilterScanPOST Off
   </Files>
</IfModule>

# Apache 2.x and ModSecurity 1.x
<IfModule security_module>
   <Files upload.php>
      SecFilterEngine Off
      SecFilterScanPOST Off
   </Files>
</IfModule>

# Apache 2.x and ModSecurity 2.x
<IfModule security2_module>
   <Files upload.php>
      SecRuleEngine Off
      SecRequestBodyAccess Off
   </Files>
</IfModule>

That’s it! This fixes the Flash uploader problem.

By the way it might be useful to let you know that this issue was encountered on a server hosted under the Ebiz Linux package by Exabytes.

0 Shares

5 thoughts on “Flash Uploader Error”

  1. Yes, it would definitely let malicious code could slip in. So it would be very important for upload.php to have extra checks before letting it be exempted from ModSecurity filtering.

  2. All, this is not a generic fix and I was simply sharing my problem. This is specific based on the cause. If your error is caused by something else other than ModSecurity this will definitely not work.

    Identify your cause then focus on the fix.

    You need to understand how your hosting work, they might not allow settings to be overridden by .htaccess files.

Comments are closed.