Modsecurity server was blocking javascript from uploads folder

This topic contains 3 replies, has 2 voices, and was last updated by Ernest Marcinko 2 months, 2 weeks ago.

Viewing 4 posts - 1 through 4 (of 4 total)

Author
Posts
November 25, 2022 at 11:54 am #40146

Rosa
Participant
Hi, my server was blocking execution of javascript Ajax plugin, infact Modsecurity (CPanel) was blocking the operation as javascript is being executed from the uploads folder. For security reasons this type of activity is prevented, in fact the uploading of files in this folder is possible by all users of the site, not only the administrators, and sometimes, through some plugins, even by visitors without access data. For this reason, uploading code to the uploads folder is one of the most frequent attack vectors on WordPress sites. The files in this folder should consist only of images, attachments, documents or anything you want to make available for download from your site, but not PHP or JavaScript code.
Allowing such files to be run/uploaded in WordPress puts the site’s integrity at risk and exposes it to DOS attacks, data theft, phishing, spam, and more.
There is a way for not load this kind of file from that folder?
thankyou very much
November 25, 2022 at 2:44 pm #40148

Ernest Marcinko
Keymaster
Hi,
I think you actually have a case here. Generally javascript file should not be an issue, being a client side feature – however I didn’t think of node.js or other server side javascript engines. In this case this is luckily not a risk of any kind, the files are only static javascript, aggregation of the actual plugin script files.
I am pushing for a bugfix release later today, I am testing a possible fix to this to move everything to the wp-content/cache/ folder, which could be the best place for the generated and aggregated assets.
I am attaching a beta test release of 4.21.1 to this post. Can you please install and check if it works for you?
Attachments:
You must be logged in to view attached files.
Best,
Ernest Marcinko
If you like my products, don't forget to rate them on codecanyon :)

November 25, 2022 at 4:28 pm #40157

Rosa
Participant
Hi dear, the beta seems to work properly. I reinstalled modsecurity and you can check it at this link https://www.rossorubino.tv/guida-vini/
Let me know updates..
November 25, 2022 at 4:35 pm #40158

Ernest Marcinko
Keymaster
Perfect! Thank you very much for the feedback, the official update will be read soon.
Best,
Ernest Marcinko
If you like my products, don't forget to rate them on codecanyon :)
Author
Posts

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Attachments: