Flash Uploader Error

Posted by on Sun, November 16, 2008

▼ A d v e r t i s e m e n t

I was using YUI Uploader for a personal project and it works very well on my development notebook and server. However when the code is live on the server the Flash uploader failed with this error message:

[IOErrorEvent type="ioError" bubbles=false cancelable=false eventPhase=2 text="Error #2038"]

After a while I realized that it must be something server-side because when I used WireShark to see the traffic the server returns Error 500. The traffic is not captured by Firebug because it is Flash traffic.

The culprit is ModSecurity, a third party module used by most hosting companies. ModSecurity is a web application firewall that can work either embedded into Apache or as a reverse proxy.

A quick fix to allow uploads is to include these in the .htaccess file. These handle different Apache and ModSecurity versions and since we include the IfModule directive if the module is unavailable no error will be thrown. This relieves the need to consider what version of Apache and ModSecurity is used on the server.

For this example the script that handles the upload is named upload.php.

# Apache 1.x and ModSecurity 1.x
<IfModule mod_security.c>
   <Files upload.php>
      SecFilterEngine Off
      SecFilterScanPOST Off
   </Files>
</IfModule>

# Apache 2.x and ModSecurity 1.x
<IfModule security_module>
   <Files upload.php>
      SecFilterEngine Off
      SecFilterScanPOST Off
   </Files>
</IfModule>

# Apache 2.x and ModSecurity 2.x
<IfModule security2_module>
   <Files upload.php>
      SecRuleEngine Off
      SecRequestBodyAccess Off
   </Files>
</IfModule>

That’s it! This fixes the Flash uploader problem.

By the way it might be useful to let you know that this issue was encountered on a server hosted under the Ebiz Linux package by Exabytes.

Related Posts with Thumbnails

Tags: ,

Facebook Comment

WARNING & REMINDER: Comments are moderated and there is no exception. Comments unrelated to the post, too short, using phoney emails or funny names, will be marked as spam. Foul languages are filtered as spam. Your email will never be displayed on this site. If you would like to receive replies, use a valid email address and check the subscription box below.
 
  • if upload.php has poorly sanitized code, does it mean code or SQL Injection could just slip in ?

  • ady

    Yes, it would definitely let malicious code could slip in. So it would be very important for upload.php to have extra checks before letting it be exempted from ModSecurity filtering.

  • Hi,

    I have problem with .htaccess.

    SecFilterEngine Off
    SecFilterScanPOST Off

    It wont work for flash uploader. I am using multi file flash uploader.

    Thanks,
    –Kapil

  • Hi. Yeah, this fix doesn’t work for me either.
    But thanks for the time put into writing it… i gave it a shot..

  • ady

    All, this is not a generic fix and I was simply sharing my problem. This is specific based on the cause. If your error is caused by something else other than ModSecurity this will definitely not work.

    Identify your cause then focus on the fix.

    You need to understand how your hosting work, they might not allow settings to be overridden by .htaccess files.