News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

Your attachment has failed security checks and cannot be uploaded failure

Started by tarantula901, August 26, 2019, 01:42:41 PM

Previous topic - Next topic

Kindred

well, maybe it's not a problem.... maybe the attachment HAS valid security issues....

What is the attachment?
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

tarantula901

Quote from: Kindred on August 26, 2019, 02:57:27 PM
well, maybe it's not a problem.... maybe the attachment HAS valid security issues....

What is the attachment?

Actually, the problem is; Images containing exif do not load. How do I overcome this problem?

Arantor


tarantula901

Quote from: Arantor on August 26, 2019, 03:59:52 PM
Turn off the security check, it has always been overzealous.


Where do we turn off the security check?

Kindred

Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

tarantula901

Quote from: Kindred on August 26, 2019, 04:49:43 PM
https://wiki.simplemachines.org/smf/SMF2.0:Attachments_and_Avatars
Perform extensive security checks on uploaded image attachments

This link did not help me. There is nothing restricted by hosting exif image external pictures are being loaded easily. Collective exif images cannot be loaded. This error gives me what I need to do to upload exif images. I use the settings in the link you have already made there I need to make a different setting. what it sets

What settings do I have to do to upload exif images?

Illori

Quote from: Kindred on August 26, 2019, 04:49:43 PM
https://wiki.simplemachines.org/smf/SMF2.0:Attachments_and_Avatars
Perform extensive security checks on uploaded image attachments
Perform extensive security checks on uploaded image attachments - Check this box to enable this function. Selecting this option will enable very strict security checks on image attachments. Please be aware that these extensive checks can cause valid images to fail too. It is strongly recommended to only use this option together with image re-encoding, in order to have SMF try to resample the images which fail the security checks. If this is successful, they will be sanitized and uploaded. Otherwise, if image re-encoding is not enabled, all attachments failing checks will be rejected.

disable that setting which is from that wiki page.

Arantor

The EXIF data looks suspicious even though it isn't and just being there sets off the security warning. Turn the security test off and it will work.

Note that it's not a good security measure as it finds many wrong cases and hasn't yet as far as I know found a single legitimate issue that wouldn't have been stopped in other ways.


shawnb61

You could try applying this 2.1 fix to 2.0:
https://github.com/SimpleMachines/SMF2.1/pull/3961/files

If I had a serious photography site, I'd drop the "else" entirely and perform no string searches at all when extensive checks are disabled.
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

tarantula901

Quote from: shawnb61 on August 27, 2019, 09:27:04 AM
You could try applying this 2.1 fix to 2.0:
https://github.com/SimpleMachines/SMF2.1/pull/3961/files

If I had a serious photography site, I'd drop the "else" entirely and perform no string searches at all when extensive checks are disabled.

He makes pictures for use in another. Is there a security vulnerability for the site?

shawnb61

I am not aware of any current vulnerabilities.  Those checks were for very old vulnerabilities.  I would only enable them if you have *NO* faith in your host & are running very old versions/configs of apache.
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

Arantor

Since the serving is done via PHP, I wouldn't even enable them for that.

tarantula901

Quote from: shawnb61 on August 27, 2019, 03:06:26 PM
I am not aware of any current vulnerabilities.  Those checks were for very old vulnerabilities.  I would only enable them if you have *NO* faith in your host & are running very old versions/configs of apache.

I just wanted to know if there was a security vulnerability due to the changes I made.

Thanks for your help.

Arantor



Advertisement: