I was using YUI Uploader for a personal project and it works very well on my development notebook and server. However when the code is live on the server the Flash uploader failed with this error message:
[IOErrorEvent type="ioError" bubbles=false cancelable=false eventPhase=2 text="Error #2038"]
After a while I realized that it must be something server-side because when I used WireShark to see the traffic the server returns Error 500. The traffic is not captured by Firebug because it is Flash traffic.
The culprit is ModSecurity, a third party module used by most hosting companies. ModSecurity is a web application firewall that can work either embedded into Apache or as a reverse proxy.
A quick fix to allow uploads is to include these in the .htaccess file. These handle different Apache and ModSecurity versions and since we include the IfModule directive if the module is unavailable no error will be thrown. This relieves the need to consider what version of Apache and ModSecurity is used on the server.
For this example the script that handles the upload is named upload.php.
# Apache 1.x and ModSecurity 1.x
<IfModule mod_security.c>
<Files upload.php>
SecFilterEngine Off
SecFilterScanPOST Off
</Files>
</IfModule>
# Apache 2.x and ModSecurity 1.x
<IfModule security_module>
<Files upload.php>
SecFilterEngine Off
SecFilterScanPOST Off
</Files>
</IfModule>
# Apache 2.x and ModSecurity 2.x
<IfModule security2_module>
<Files upload.php>
SecRuleEngine Off
SecRequestBodyAccess Off
</Files>
</IfModule>
That’s it! This fixes the Flash uploader problem.
By the way it might be useful to let you know that this issue was encountered on a server hosted under the Ebiz Linux package by Exabytes.
if upload.php has poorly sanitized code, does it mean code or SQL Injection could just slip in ?
Yes, it would definitely let malicious code could slip in. So it would be very important for upload.php to have extra checks before letting it be exempted from ModSecurity filtering.
Hi,
I have problem with .htaccess.
SecFilterEngine Off
SecFilterScanPOST Off
It wont work for flash uploader. I am using multi file flash uploader.
Thanks,
–Kapil
Hi. Yeah, this fix doesn’t work for me either.
But thanks for the time put into writing it… i gave it a shot..
All, this is not a generic fix and I was simply sharing my problem. This is specific based on the cause. If your error is caused by something else other than ModSecurity this will definitely not work.
Identify your cause then focus on the fix.
You need to understand how your hosting work, they might not allow settings to be overridden by .htaccess files.