HTTP Mistake – WordPress Flash Uploader

Posted in WordPress on Sep 25, 2014

Just lately numerous of our consumers moved their web-sites to a VPS (Virtual Private Server) jogging 64-Little bit CentOS, WHM, cPanel, Apache 2.2, PHP 5.3, and My SQL 5.x, This shift was brought on by their need to get better effectiveness and greater command out of functioning their personal hosted web environment and the VPS seemed like the best fit at the time. Total their go went superior than expected with no important issues. However, one error that they recognized that occurred frequently when they tried to use the Flash Uploader in WordPress, was the dreaded HTTP Error.

Flash Uploader in WordPress HTTP Mistake

I will get in touch with this HTTP Error the dreaded error, for the reason that right after researching for hours, making an attempt all the many recommended fixes, and obtaining nothing perform persistently our customers questioned us for some help with the mistake we did some study for them and finally stumbled upon a web site that supplied us with ample information and facts to appropriate the trouble.

First of all, enable me level out that this mistake IS Connected to the MOD_Stability module within Apache. In earlier versions of WordPress, it was a bug, but it was fixed back again in model 2.eight. So if you are seeing this error in a later variation of WordPress (we are working 3.two.1) it is most most likely related to your Apache net server incorporating the MOD_Safety module. In order to take care of the concern you will need to ascertain if you have mod_protection or mod_security2 put in because the resolution for each and every of these modules is pretty distinctive.

MOD_Safety is an open source world wide web software firewall that is mounted as a module for Apache-dependent net servers. There are two widely made use of variations of the mod_stability module, the very first launch of mod_stability was just basic mod_security, the hottest launch is referred to as mod_security2. At the time of this put up the latest launch of mod_security is MODSecurity two.6.

What Brings about the HTTP Error

As I described, our prospects are operating CentOS five.7 with WHM and cPanel so the illustrations you see below are based on that configuration. Nevertheless, you need to be equipped to utilize our tips to your individual surroundings if you have an comprehension of your server operating system and the place of the server documents for Apache and Mod_Security.

The HTTP Error is induced by mod_protection simply because there is a safety rule in mod_protection that is brought on by the WordPress Flash Uploader. This stability rule is meant to quit acknowledged safety flaws in Flash that have been exploited to inject code into your internet site. You can see this security rule induce a message in your mod_stability logs in WHM when you test to upload a file making use of the Flash Uploader. The concept we were receiving was the adhering to

Accessibility denied with code 406 (period two). Sample match “^Shockwave Flash” at Ask for_HEADERS:User-Agent. [file “/usr/community/apache/conf/modsec2.user.conf”] [line “203”]

Your information could be various primarily based upon the version of mod_safety you have set up. As you can see from our concept, it evidently states that the rule activated by the sample match was in the modsec2.person.conf file which assisted us to determine that we experienced mod_security2 installed.

You will want to figure out the mod_security that you have mounted and then use the repair defined in the ideal portion down below.


If you have the before version of mod_stability mounted, then it’s a tiny easier to resolve the HTTP Error for the Flash Uploader simply because your improvements can all be integrated in the.htaccess file in your root listing. This is one particular of the most perplexing features of the fixes we located on the net mainly because not also lots of websites distinguished the fixes amongst mod_protection and mod_security2.

For mod_safety you just have to have to disable this rule for the async-add.php file in your.htaccess file. You can do this by inserting the subsequent directive into your.htaccess file in the root of your web page []).press()

SecFilterEngine Off

SecFilterScanPOST Off

Now when you use the WordPress Flash Uploader this mod_safety rule will not be brought on. The Flash Uploader employs the web page async-add.php and by the higher than directive the safety filter and scanning have been turned off for that 1 web page.

It truly is important to issue out that you do not want to disable mod_safety for your overall website! We uncovered many posts on the online that described the earlier mentioned directive with no the Documents specification. Do not DO THIS! You will open your website up to all type of vulnerability simply because you will entirely disable mod_stability.

At the time you have built these adjustments to your.htaccess file and saved the improvements, your Flash Uploader must now operate, as alterations produced to the.htaccess file are speedy.


If you are functioning mod_security2 then the.htaccess adjustments will not operate!

Mod_security2 does not allow for modifications to it can be protection principles by means of the.htaccess file. The only way you can make variations is via a file referred to as /usr/regional/apache/conf/modsec2/tailor made.conf. This is an essential variance between mod_safety and mod_security2 and a person that I am positive has brought about quite a few internet internet site owners a lot of anguish and grief.

To take care of this mistake, if you are managing mod_security2, demands a two Phase course of action

Stage 1 –

A) In WHM, open your MOD_Security log less than Plugins/Mod Safety.

B) At the major of the site you will see an “Edit Config” button. Simply click it and open the Mod Sec2 Principles.

C) Scroll down right up until you uncover the following entry underneath #Spam Bots –

SecRule HTTP_Person-Agent “^Shockwave Flash”

D) We need to change this entry to insert an ID so that we can reference it in our mod_stability override later on. Copy this rule to a new line, comment out the previous rule and add the pursuing –

#SecRule HTTP_User-Agent “^Shockwave Flash”

SecRule HTTP_Consumer-Agent “^Shockwave Flash” “id:xxxxxxxxxx”

Substitute “xxxxxxxxxx” with an arbitrary variety to be used as the ID for this rule. It won’t make any difference what the number is, but you will will need to recall it for Phase two(C) in these guidelines.

E) Scroll back to the major of the Modsec2 Procedures and be certain that the 2 lines underneath are uncommented in your Modsec2 file. The lines ought to show up as down below

## whitelist ##

Include “/usr/nearby/apache/conf/modsec2/whitelist.conf”

Include “/usr/local/apache/conf/modsec2/personalized.conf”

We will be creating improvements to the personalized.conf file in Action 2 and we want to make sure that our improvements are bundled in the ModSec2 Rules.

F) Help you save this file by clicking on the “Help save Configuration” button at the base of the webpage.

Stage two –

A) Now open up a SSH connection to your server employing your favored SSH Customer. We utilised Putty for our functions.

B) CD around to /usr/community/apache/conf/modsec2/

C) Applying vi, modify the file tailor made.conf as follows

SecRuleRemoveById xxxxxxxxxx

There may perhaps already be other entries in this file. If so, just increase this entry to the base of this file and help you save it.

Once more, it is significant that you exchange the “xxxxxxxxxx” with an arbitrary selection that you selected in Action one(D) higher than. This selection is an arbitrary ID that we assigned and use to discover the Mod_sec2 protection job that we want to override.

D) Reboot your server for the variations that you built to get influence.

Once your server will come back on-line from your reboot, examination your alterations by uploading a file to your WordPress internet site through the Flash Uploader. If you followed all of the methods properly your file ought to now add good without the Dreaded HTTP Mistake!

By Doug Flitton

Leave a Reply

Your email address will not be published. Required fields are marked *