[Xerte-dev] Re: Problems uploading Media
Dave Burnett
d_b_burnett at hotmail.com
Wed Jul 17 12:14:05 BST 2013
So the "intermittent" report must have been a red herring?
> From: J.J.Smith at gcu.ac.uk
> To: xerte-dev at lists.nottingham.ac.uk
> Date: Wed, 17 Jul 2013 11:51:25 +0100
> Subject: [Xerte-dev] Re: Problems uploading Media
>
> Yeah, I think mod_security is filtering the POST data and finding a missing boundary that is flagging it as potential security breach...
>
> A .htaccess rule or more likely something the sysadmin can configure should be able to fix it...
>
> Not hear back from the guy on the forum yet though...
>
> Regards,
>
> John Smith
> Learning Technologist
> School of Health & Life Sciences
> Glasgow Caledonian University
>
>
> -----Original Message-----
> From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy
> Sent: Wednesday, July 17, 2013 9:37 AM
> To: For Xerte technical developers
> Subject: [Xerte-dev] Re: Problems uploading Media
>
> Well the coming from flash would seem to be the big difference - user agents?
>
> I got back late so will look at mod sec later - assuming its an apache module you configure?
>
> On 17 Jul 2013, at 09:05, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote:
>
> > Wizard -> Upload.php uses files array too, multipart-formdata so think that bit is ok... Its only the cookie passing that is different? No?
> >
> > I was wondering though if its the fact that we pickup the session token and pass it back to upload in the querystring that is being flagged. But I've seen many a site doing that...
> >
> > Regards
> >
> > John Smith
> > Learning Technologist
> > School of Health and Life Sciences
> >
> > Sent from Samsung Galaxy SII
> >
> >
> >
> > "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote:
> >
> >
> > Sorry for not being more on this
> >
> > Media and quote uses the file array in php, which might explain this.
> >
> > XML is just a string
> >
> > I suspect different policies on both hence security firing off.
> >
> > If still an issue try print_r files,post,get and request
> >
> > See if they behave differently?
> >
> > On 16 Jul 2013, at 15:48, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote:
> >
> > I need more than a pint!!
> >
> > I’m glad we’ve proved though that it’s not Xerte. Why Media & Quota tab is able to do a post though is strange and XML to save.php
> >
> > Regards,
> >
> > John Smith
> > Learning Technologist
> > School of Health & Life Sciences
> > Glasgow Caledonian University
> >
> > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney
> > Sent: Tuesday, July 16, 2013 3:44 PM
> > To: For Xerte technical developers
> > Subject: [Xerte-dev] Re: Problems uploading Media
> >
> > That’s great work there, thanks a lot. Hoist yourself a pint o’ heavy on me.
> >
> > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
> > Sent: 16 July 2013 14:55
> > To: For Xerte technical developers
> > Subject: [Xerte-dev] Re: Problems uploading Media
> >
> > And now I’ve run the bioset server through a request method scanner and it reports the same… POST methods are being filtered through /mod_sec.html
> >
> >
> > Filtered Request Methods (Not 200 OR 405)
> >
> > POST
> > POST / HTTP/1.0
> > Host: uol-bioset.com<http://uol-bioset.com>
> > Accept-Encoding: deflate, gzip
> > Accept: */*
> > Referer: http://www.askapache.com/online-tools/request-method-scanner/
> >
> > HTTP/1.1 302 Found
> > Date: Tue, 16 Jul 2013 13:50:07 GMT
> > Server: Apache
> > Location: /mod_sec.html
> > Content-Length: 197
> > Connection: close
> > Content-Type: text/html; charset=iso-8859-1
> >
> > Regards,
> >
> > John Smith
> > Learning Technologist
> > School of Health & Life Sciences
> > Glasgow Caledonian University
> >
> > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
> > Sent: Tuesday, July 16, 2013 2:47 PM
> > To: For Xerte technical developers
> > Subject: [Xerte-dev] Re: Problems uploading Media
> >
> > Ah didn’t read as far as I should have… 302 also returns a redirection URL, which in this case is /mod_sec.html
> >
> > <image001.jpg>
> >
> > http://www.askapache.com/htaccess/modsecurity-htaccess-tricks.html
> >
> > 1. Request URL:
> > http://uol-bioset.com/xerte/modules/xerte/engine/upload.php?path=USER-FILES/15-jjs-Nottingham/media/&BROWSER=safari&AUTH=xerte&PHPSESSID=9c0a954bc3d99c4eabff83204628g53u
> > 2. Request Method:
> > POST
> > 3. Status Code:
> > 302 Found
> > 4. Request Headersview source
> > 1. Accept:
> > */*
> > 2. Accept-Encoding:
> > gzip,deflate,sdch
> > 3. Accept-Language:
> > en-US,en;q=0.8
> > 4. Connection:
> > keep-alive
> > 5. Content-Length:
> > 595710
> > 6. Content-Type:
> > multipart/form-data; boundary=----------KM7Ef1KM7Ij5Ef1ae0Ef1Ef1gL6GI3
> > 7. Cookie:
> > PHPSESSID=9c0a954bc3d99c4eabff83204628g53u
> > 8. Host:
> > uol-bioset.com<http://uol-bioset.com>
> > 9. Origin:
> > http://uol-bioset.com
> > 10. Referer:
> > http://uol-bioset.com/xerte/edit.php?template_id=15
> > 11. User-Agent:
> > Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.72 Safari/537.36
> > 5. Query String Parametersview sourceview URL encoded
> > 1. path:
> > USER-FILES/15-jjs-Nottingham/media/
> > 2. BROWSER:
> > safari
> > 3. AUTH:
> > xerte
> > 4. PHPSESSID:
> > 9c0a954bc3d99c4eabff8324ba411514
> > 6. Request Payload
> > 1. ------------KM7Ef1KM7Ij5Ef1ae0Ef1Ef1gL6GI3 Content-Disposition: form-data; name="Filename" Hydrangeas.jpg ------------KM7Ef1KM7Ij5Ef1ae0Ef1Ef1gL6GI3 Content-Disposition: form-data; name="Filedata"; filename="Hydrangeas.jpg" Content-Type: application/octet-stream ------------KM7Ef1KM7Ij5Ef1ae0Ef1Ef1gL6GI3 Content-Disposition: form-data; name="Upload" Submit Query ------------KM7Ef1KM7Ij5Ef1ae0Ef1Ef1gL6GI3--
> > 7. Response Headersview source
> > 1. Connection:
> > Keep-Alive
> > 2. Content-Length:
> > 197
> > 3. Content-Type:
> > text/html; charset=iso-8859-1
> > 4. Date:
> > Tue, 16 Jul 2013 13:14:18 GMT
> > 5. Keep-Alive:
> > timeout=5, max=100
> > 6. Location:
> > /mod_sec.html
> > 7. Server:
> > Apache
> >
> >
> >
> > Regards,
> >
> > John Smith
> > Learning Technologist
> > School of Health & Life Sciences
> > Glasgow Caledonian University
> >
> > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
> > Sent: Tuesday, July 16, 2013 2:39 PM
> > To: For Xerte technical developers
> > Subject: [Xerte-dev] Re: Problems uploading Media
> >
> > And so the plot thickens…
> >
> > On uploading some media on the bioset server and monitoring the network traffic in Chrome Dev Tools, you get this:
> >
> > <image002.png>
> >
> > Notice the ‘302 – Found’ code. Now I wasn’t sure if that was right or not. 302-Found usually means “Yes the file is here so please submit again!!”. So I tried on my server and get this:
> >
> > <image003.png>
> >
> > So what I expected, a 200 OK code… The thing is, if I copy the bioset url that received the 302 code, …upload.php?path=USER-FILES/15-jjs-Nottingham/media/&BROWSER=safari&AUTH=xerte&PHPSESSID=sessid_removed
> >
> > Then YES, It does update the parameters.txt file so upload.php is being executed on the GET request but not on a POST request…
> >
> > Anyone know what could cause that on a Linux server?? I definitely think that this is a server issue and not the code but why??
> >
> > Regards,
> >
> > John Smith
> > Learning Technologist
> > School of Health & Life Sciences
> > Glasgow Caledonian University
> >
> > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
> > Sent: Tuesday, July 16, 2013 1:48 PM
> > To: For Xerte technical developers
> > Subject: [Xerte-dev] Re: Problems uploading Media
> >
> > I have full access as user and admin…
> >
> > Not to the filesystem…
> >
> > But as far as I can ascertain, upload.php is never being called. The very first line is now:
> >
> > file_put_contents('parameters.txt', var_export($_GET, true), true);
> >
> > and when you try to upload the media it says successful but the parameters.txt file hasn’t changed… at first I thought we had changed /modules/xerte/engine/upload.php and the site one was being called but that doesn’t appear to be the case either…
> >
> > Regards,
> >
> > John Smith
> > Learning Technologist
> > School of Health & Life Sciences
> > Glasgow Caledonian University
> >
> > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney
> > Sent: Tuesday, July 16, 2013 1:39 PM
> > To: For Xerte technical developers
> > Subject: [Xerte-dev] Re: Problems uploading Media
> >
> > The other weird thing was media and quota didn’t work, and then suddenly did. That made me think liveware was to blame, but I don’t think it is in this case, and if you have access and can replicate, then it’s not that. Do you have full access to the server to try stuff on? That would help a lot if we can avoid having to bounce everything through the forum.
> >
> > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney
> > Sent: 16 July 2013 13:36
> > To: For Xerte technical developers
> > Subject: [Xerte-dev] Re: Problems uploading Media
> >
> > No, I’m stumped. It’s not really my area - thanks for your persistence. Can you prove whether upload.php is being called or not?
> >
> >
> > -
> >
> > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
> > Sent: 16 July 2013 13:27
> > To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk>
> > Subject: [Xerte-dev] Problems uploading Media
> >
> > Hi,
> >
> > Decided to take this off the Forum… still not getting anywhere with it though…
> >
> > So, I’ve patched the upload.php file to write out the $_GET parameter to see what’s being passed from the editor… the thing is that NOTHING is being passed, in fact upload.php doesn’t even look as if it’s being called…
> >
> > If you go here http://uol-bioset.com/xerte/modules/xerte/engine/upload.php?name=John then it writes to parameters.txt at http://uol-bioset.com/xerte/modules/xerte/engine/parameters.txt
> >
> > Now with this on my server, after uploading, parameters.txt looks like this:
> >
> > array (
> > 'path' => 'USER-FILES/2-john-Nottingham/media/',
> > 'BROWSER' => 'safari',
> > 'AUTH' => 'xerte',
> > 'PHPSESSID' => 'odF2q4By53rgwvYyJwcgo0',
> > )
> >
> > However, even now that I have access to the server, and can login and upload stuff via the upload button, parameters.txt never changes… even calling http://uol-bioset.com/xerte/modules/xerte/engine/upload.php with no parameters set shout just write an empty array but nothing is written, the upload path looks right (same as mine anyway).
> >
> > upload.php?path=
> >
> > Anyone have any ideas?
> >
> > Regards,
> >
> > John Smith
> > Learning Technologist
> > School of Health & Life Sciences
> > Glasgow Caledonian University
> >
> >
> > Glasgow Caledonian University is a registered Scottish charity, number SC021474
> >
> > Winner: Times Higher Education’s Widening Participation Initiative of the Year 2009 and Herald Society’s Education Initiative of the Year 2009.
> > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html
> >
> > Winner: Times Higher Education’s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.
> > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html
> >
> >
> > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham.
> >
> > This message has been checked for viruses but the contents of an attachment may still contain software viruses which could damage your computer system, you are advised to perform your own checks. Email communications with the University of Nottingham may be monitored as permitted by UK legislation.
> >
> >
> > Glasgow Caledonian University is a registered Scottish charity, number SC021474
> >
> > Winner: Times Higher Education’s Widening Participation Initiative of the Year 2009 and Herald Society’s Education Initiative of the Year 2009.
> > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html
> >
> > Winner: Times Higher Education’s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.
> > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html
> >
> > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it bac
>
> _______________________________________________
> Xerte-dev mailing list
> Xerte-dev at lists.nottingham.ac.uk
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>
> Glasgow Caledonian University is a registered Scottish charity, number SC021474
>
> Winner: Times Higher Education’s Widening Participation Initiative of the Year 2009 and Herald Society’s Education Initiative of the Year 2009.
> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html
>
> Winner: Times Higher Education’s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.
> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html
> _______________________________________________
> Xerte-dev mailing list
> Xerte-dev at lists.nottingham.ac.uk
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130717/5379eef9/attachment-0001.html>
More information about the Xerte-dev
mailing list