Problems posting images on SMF 2.06

Started by pirc-bw, January 24, 2014, 06:16:32 PM

Previous topic - Next topic

pirc-bw

On my board at http://bw-forums.com  we have been having problems getting images to upload as attachments.

The first problem began yesterday.  Although the file type .png is allowed we would get an error message saying that the image couldn't be posted because it wasn't an allowed file type.

Now today we are getting this...
An Error Has Occurred!
Your attachment has failed security checks and cannot be uploaded. Please consult the forum administrator.

How do we fix this?
Merlene
Version Information:
Forum version: SMF 2.0.16
Current SMF version: SMF 2.0.16
www.bw-forums.com

kat

Try... er... disabling security checks, in your attachments settings. Read the note, there, before you do that, though.


pirc-bw

I just checked and I did that, yesterday I think.  I will now have to check that the file failed can now be uploaded.  Would that also prevent a file type?
Merlene
Version Information:
Forum version: SMF 2.0.16
Current SMF version: SMF 2.0.16
www.bw-forums.com

kat

I would imagine that some filetypes are more susceptible than others, yes.

pirc-bw

Our board is all about creating images and then attaching them.  At least half will be in that format.  Is there any way to solve this?

I have disabled security checks and now it seems like it's hit or miss.  Sometimes they upload just fine and not the next time.
Merlene
Version Information:
Forum version: SMF 2.0.16
Current SMF version: SMF 2.0.16
www.bw-forums.com

kat

Some things to consider...

PNG files take-up a lot of room, compared to JPG files. Could the upload be timing-out, if the files are too big, filesize-wise? I know JPG files are lossy, compared with PNG. But, do the benefits outweigh the disadvantages? Maybe it'd be better for them to use JPG files, ay?

Do you have enough space, on the server, for a lot of attachments?

Do your attachment settings allow for such big files?

Just some things to consider.

Illori

this might help if the images are made in photoshop

Quote from: Spuds on January 05, 2012, 06:26:43 PM
Yup ... seen this a couple of times now .... as a work around you can do the following:

in Subs-Graphics.php

Code (find) Select
// Check for potential infection
if (preg_match('~(iframe|html|eval|body|script\W|[CF]WS[\x01-\x0C])~i', $prev_chunk . $cur_chunk, $matches) === 1)

Code (replace) Select
// Check for potential infection
if (preg_match('~(iframe|(?<!cellTextIs)html|eval|body|script\W|[CF]WS[\x01-\x0C])~i', $prev_chunk . $cur_chunk, $matches) === 1)


Will allow images with that particular html "tag" to pass but other html tags will still fail.

pirc-bw

I am not finding Subs-Graphics.php in any of my theme folders.
Merlene
Version Information:
Forum version: SMF 2.0.16
Current SMF version: SMF 2.0.16
www.bw-forums.com

Dav999


pirc-bw

Oh, right....Sources.  I always forget about them.  Thanks, I have changed the code.
Merlene
Version Information:
Forum version: SMF 2.0.16
Current SMF version: SMF 2.0.16
www.bw-forums.com

kat


pirc-bw

I have asked those who had a problem to repost the same image.  We are still getting errors.
An Error Has Occurred!
Your attachment has failed security checks and cannot be uploaded. Please consult the forum administrator.
Merlene
Version Information:
Forum version: SMF 2.0.16
Current SMF version: SMF 2.0.16
www.bw-forums.com

a10

^^^ Am starting to see some of these "failed security checks" (for attachments that do not have any security problems whatsoever) in the logs (2.0.7), extra work + it's upsetting members (apart from the irritation of not being able to post, some also believe they got malware on their pc\phone). Seems smf is reading legit exif as threats. Got "extensive security checks" off, and "Re-encode" on. Thanks.
2.0.19, php 8.0.23, MariaDB 10.5.15. Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.

margarett

I seem to recall a discussion about this some time ago. There's something related to Photoshop images or whatever...

Can you point me to such an image? Maybe zip it?

If you want to bypass that completely, just edit Sources/Subs-Graphics.php and find
function checkImageContents($fileName, $extensiveCheck = false)
{

Add after:
return true;
Se forem conduzir, não bebam. Se forem beber... CHAMEM-ME!!!! :D

QuoteOver 90% of all computer problems can be traced back to the interface between the keyboard and the chair

a10

Hello, thanks for replying. Sorry, did not keep any of the images (got some failing images by email, removed exif, emailed them back to members and they uploaded fine). The last occurrence was a jpg from an iphone, had normal exif and in addition gps info.

Will try your fix. Good to include options for security check, but seems 'something somewhere' needs adjustments to avoid false positives, apart from completely removing security.
2.0.19, php 8.0.23, MariaDB 10.5.15. Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.

margarett

Picture from iPhone? Well I might have some of those here :P

edit: just tried, I was able to upload the image without issues... Maybe different setups have different responses?
Se forem conduzir, não bebam. Se forem beber... CHAMEM-ME!!!! :D

QuoteOver 90% of all computer problems can be traced back to the interface between the keyboard and the chair

trlacey

It's failing on html and eval.  I fixed it by changing the code to this:

if (preg_match('~(iframe|<html|eval(|body|script\W|[CF]WS[\x01-\x0C])~i', $prev_chunk . $cur_chunk, $matches) === 1)

Arantor

Aside from the small details that you just negated the two most useful tests in the batch.

While, yes, there is an issue with html, this is remedied as described above by adding the negative assertion for cellTextIsHtml, a known piece of unnecessary metadata added by Photoshop.

As for eval, your test is trivial to bypass - a space is perfectly legal syntax in PHP; a call of function ($param) with that space is completely legal. Is in other languages, too, which is why it was put in as simply eval in the first place (as some of the malware samples provided to the team were using spaces to evade some of the simpler detections such as the one you suggested. Now, if you'd put in eval\s*(, I'd agree with you, but I can see from your previous posts that you don't tend to listen to others and would generally prefer to roll your own solutions to problems...

trlacey

I think you're stating the blatantly obvious regarding the checks.  I'm working on my own code for my web server, so I don't really have time to meticulously go through smf's code.  While I could implement far better checks, I'm not all that concerned about it.  I couldn't care less really. 

Arantor

I'm stating something so obvious you missed both the changes. And you could care enough to tell people.

By the way, you also might want to look up NIH and the consequences for things like testing.

Advertisement: