WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 5 years ago

Last modified 5 years ago

#6473 closed defect (bug) (wontfix)

Wordpress 2.5 fails to allow file uploads if you use .htaccess to secure wp-admin

Reported by: hexley Owned by:
Milestone: Priority: low
Severity: normal Version: 2.5
Component: Upload Keywords: needs-patch
Focuses: Cc:

Description

See this post for confirmation of others with trouble:
http://wordpress.org/support/topic/162198/page/2?replies=41#post-717406

Here is my .htaccess in wp-admin
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /somewhere/over./the/rainbow/.htpasswd
AuthGroupFile /dev/null
require valid-user

If I rename .htaccess to a.htaccess, in order to disable it, works just fine all over again.

My server logs show an http 401 error on:
/wp-admin/page-new.php Safari
/wp-admin/async-upload.php Flash

So, seems to me, user/pass credentials are not getting past Flash, and it is breaking.

Change History (16)

comment:1 follow-up: markjaquith6 years ago

  • Component changed from General to Administration
  • Milestone changed from 2.5.1 to 2.6
  • Priority changed from normal to low
  • Version set to 2.5

Can you exempt async-upload.php from HTTP auth ?

comment:2 follow-up: hexley6 years ago

I am confused about setting this to 2.6, seems a long way out. Look at the thread linked ab uploader ove, most are resorting to disabling mod sec, and I have a feeling they have no idea what they are disabling.

This is saying we should all no longer follow the numerous posts out there to secure your ap-admin area, and rely on the built in security of a wp login and pass form.

Is this a confirmation that my analysis of the bug is correct in that the auth'd credentials are not getting passed to the flash?

comment:3 in reply to: ↑ 1 hexley6 years ago

Replying to markjaquith:

Can you exempt async-upload.php from HTTP auth ?

I wish I knew how, in all my tests. No. Some can, you can setenvifnocase and some other things with <files> but even then, I would not want to. This being the only known way to fix this, leaves two files open to anyone stabbing at them as they please.

For now, the best I can say, is hope your IP is semi-static, and limit via IP, and dump password realm based auth protection.

comment:4 in reply to: ↑ 2 markjaquith6 years ago

Replying to hexley:

I am confused about setting this to 2.6, seems a long way out. Look at the thread linked ab uploader ove, most are resorting to disabling mod sec, and I have a feeling they have no idea what they are disabling.

This is saying we should all no longer follow the numerous posts out there to secure your ap-admin area, and rely on the built in security of a wp login and pass form.

Is this a confirmation that my analysis of the bug is correct in that the auth'd credentials are not getting passed to the flash?

2.5.1 is for major bugs. While I appreciate that it is very inconvenient for you that the flash uploader doesn't work, securing the wp-admin with HTTP authentication is utilized by a very small number of people, and the bug only affects a small portion of the wp-admin, so it's not going to be a huge priority for 2.5.1 If you find a WordPress-based solution, please share it. And if you find a .htaccess workaround, please share that as well. If a WP solution is found and it is both simple and unlikely to affect others, it might be considered for 2.5.1

If you can't find a workaround, IP-based auth might be a reasonable facsimile. Another way you could go is requiring a special secret cookie (that isn't set by wp-admin).

comment:5 hexley6 years ago

@markjaquith, thanks for the reply. I think it securing wp-admin is used by more than one may think. At any rate, it just all seems related, there is now a sticky in the forums about uploading, I would say a lot of people are not getting it to work.

The solution, to disable mod-sec. Interesting, I have not seen a singe post telling people what disabling that mod does. People are blindly turning something off that has the word security in it. At the very least, explain to users what this disable is going to do to them.

My gut tells me 99% of the image upload problems are that there is some security in place, people are not aware, and they are getting 401 errors.

I will do some poking at it, I do not know the flash lib thing you guys are using.

I will be honest, I will not explore a <files...> style workaround, or a mod-sec disable. It already is well known people are doing this, so it is also known which one, or in my case, two files are not secured outside of wp-admin built in auth. I would be just as well served trusting that wp-admin is secure with no .htaccess.

I am yet to find any of the people in the forums that will allow me access to their blog and files to test, so I am limited to my personal environment. I will see what I can do to help out, thanks again.

comment:6 follow-up: hexley6 years ago

Does Trac send emails out when this page is updated? I am not getting them, and do not see a preference for it.

comment:7 in reply to: ↑ 6 DD326 years ago

Replying to hexley:

Does Trac send emails out when this page is updated? I am not getting them, and do not see a preference for it.

If you add an email to your settings page: http://trac.wordpress.org/settings then it'll email you when a comment is added to a ticket which you've replied to.

comment:8 thee175 years ago

  • Component changed from Administration to Upload
  • Owner anonymous deleted

comment:9 Denis-de-Bernardy5 years ago

  • Keywords needs-patch added

some kind of filter, or a slight change, in media_upload_form() may do the trick. as in, if we pass the user/pass into the url.

comment:10 DD325 years ago

some kind of filter, or a slight change, in media_upload_form() may do the trick. as in, if we pass the user/pass into the url.

How?

passing http://username:password@.. in a document isn't exactly the most secure method..

comment:11 Denis-de-Bernardy5 years ago

correct, but I would hope that whoever protects his folder with htpasswd is also using SSL. :-D

comment:12 hexley5 years ago

I am not even sure this is an issue anymore. I would need to test. If you are going to pass user:pass@ and rely on SSL, I would just forget it, and leave it as is. The point of .htaccess to secure wp-admin is to add another layer of security. If you pass the user and pass along like that, I believe you make it worse.

It has been 13 months and I have not heard a lot of noise on this, I guess a lot of people do not care. Strange thing is, most "hardening" wordpress articles, say to use .htaccess to secure things.

It may be possible to just rename wp-admin, if not, it should be, as I would rather have security by obscurity in this case.

comment:13 Denis-de-Bernardy5 years ago

  • Milestone 2.9 deleted
  • Resolution set to wontfix
  • Status changed from new to closed

let's close as wontfix then.

comment:14 hexley5 years ago

Agreed, I will test it again when I get around to updating again, and see what the current status is. For notes: I think this has to do with the flash upload part, and it was having issues passing auth around, it has been some time, it very well could be solved.

I will ref this ticket if it pops up again.

comment:15 DD325 years ago

This does have to do with the flash uploader.

I dont think the flash uploader even works with SSL.. even without the username.. Due to Flash constraints or something..

comment:16 Denis-de-Bernardy5 years ago

On a separate note (I noticed this when working on the $_REQUEST-related security ticket), there seems to be a means to be authenticated using $_ENV variables. In which case, you might want to check that out too. Search the WP code base for $_REQUEST[ and it'll lead you straight to it.

Note: See TracTickets for help on using tickets.