Forum

Problem uploading media with PreventSQLi enabled

Liga
16 June 2016, 09:15
Hello,

We are using Hiawatha 10.3 with Wordpress 4.5.2.

We have problems uploading media files (seems to be issue with larger files, f.ex. around 1.5MB) when PreventSQLi is enabled.

The error message we get is: HTTP error

From exploits.log:
1.1.1.1|Thu 16 Jun 2016 09:02:35 +0200|wordpress.net|/wp-admin/async-upload.php|SQLi|------WebKitFormBoundary8Z8lQKKweNMuErNe
Content-Disposition: form-data; name="name"

IMG_0601.jpg
------WebKitFormBoundary8Z8lQKKweNMuErNe
Content-Disposition: form-data; name="action"

upload-attachment
------WebKitFormBoundary8Z8lQKKweNMuErNe
Content-Disposition: form-data; name="_wpnonce"

457b6d20d1
------WebKitFormBoundary8Z8lQKKweNMuErNe
Content-Disposition: form-data; name="async-upload"; filename="IMG_0601.jpg"
Content-Type: image/jpeg


We have tested that disabling PreventSQLi solves the problem but as it is a wordpress installation, we would like to keep using it for security reasons.
Other settings that might be of interest:
MaxUploadSize = 20
MaxRequestSize = 20480
TimeForRequest = 5,30


Thanks in advance for any help you can give on the matter!

Regards,
Liga
Hugo Leisink
16 June 2016, 12:49
Checking for SQL injection while uploading files is always tricky, as there is a high chance that binary files contain a pattern that matches with an actual SQL injection. There is no way to detect an SQL injection and at the same time allow the uploading of files, while not degrading the reliability of this security check.

The PreventSQLi option should not be seen or used as some magic trick to make insecure applications secure. It should only be used as a temoprary measure to keep an application online, while you wait for a patch.

And if you don't trust Wordpress because of its bad security reputation, perhaps you should stop using it...
This topic has been closed.