Solving PHP File Uploading Errors Caused By Mod Security

Most of the errors that are received from the new flash / javascript based mass uploaders are actually caused by the server. That isn’t to say there are other causes, but in my experience this is the most common cause of the problem. What about the server is causing the problems? Well let’s have a look.

Mod Security

Yes, believe it or not Mod Security is, 9 times out of 10 in my experience, the cause of all the uploading problems. Take for example my WordPress install. For quite a while I’ve been having problems where I would receive an ‘I/O Error’ or ‘HTTP Error’ for no apparent reason when uploading quite a few images. Turns out it was Mod Security mistaking the upload for a breach of security. Here is what you can do to fix it.

This will tell Mod Security to pass all requests from the specified script, but still provides certain security checks that don’t interfere with the scripts file uploading operations. For example if you are working with WordPress and having image upload problems you would need to pass async-upload.php like this:

Other applications such as Vbulletin 4’s new attachment manager can have the same problem. The script to allow in Mod Security with Vbulletin is newattachment.php:

Hopefully that makes sense & you’ll be able to figure out any others.

Basically you just need to allow the script that handles the file uploads. This also works well if you are working with a custom application using SWFUpload & in my experience gets rid of some of those pesky #20** flash errors you can get.

As always if you have any questions, or any thing to add let me know in the comments, or you can follow me on twitter by clicking the big blue birds in the sidebar.

written by

WordPress wizard, coding ninja and all round cool guy. Loves Sci-Fi, geeky stuff, and of course Firefly. Currently a self confessed addict of Korean & Japanese Pop.



Author’s gravatar

I have a problem with upgrading WordPress and plugins with the built in automatic upgrade process. It hangs completely. I think it has something to do with “ownership” but do you think this mod security thing might have something to do with it?

Author’s gravatar

I haven’t had a lot of experience with ownership on Unix systems, but I’d probably say Mod Sec isn’t the cause. It normally sends back a 403/503 error if it gets caught as a security problem.

I don’t think it would hurt to try though if you want to make sure. ;)

If that doesn’t work and you can tell me what environment your server is running on I might be able to tell you if there are any known problems with WordPress’ upgrade system & your current server setup.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">