Attachment rejected due to "possible attack vector"

ZeroKnight · Post by **ZeroKnight** » Mon Nov 01, 2010 10:56 pm

Hello. On my board, I have allowed the uploading of .txt files.

However, when attempting to upload one, I am presented with this error:

"The upload was rejected because the uploaded file was identified as a possible attack vector."

I'm not entirely sure why it's giving me this error, but it wont let me upload the attachment. I have all the necessary options configured to allow .txt files to be uploaded.

Is there a way I can force the upload? I'm both an Admin and a Founder. Help is greatly appreciated.

Thank you for your time.

AdamR · Post by **AdamR** » Mon Nov 01, 2010 11:03 pm

Let's try to eliminate the basic causes first. Could you please fill out the Support Request Template so we can get a better idea of the issue?

- Adam

ZeroKnight · Post by **ZeroKnight** » Tue Nov 02, 2010 1:55 am

Support Request Template
What version of phpBB are you using? phpBB 3.0.7-PL1
What is your board's URL? http://www.animetempest.com/forum
Who do you host your board with? http://www.whiteknighthosting.com/
How did you install your board? Someone else installed my board for me
Is your board a fresh install or a conversion? Fresh Install
Do you have any MODs installed? No
Is registration required to reproduce this issue? Yes
What styles do you currently have installed? DirtyBoard 2.0, 1Blackout, prosilver, subsilver2
What language(s) is your board currently using? British-English
Which database type/version are you using? MySQL 5
What is your level of experience? Comfortable with PHP and phpBB
What username can be used to view this issue? test
What password can be used to view this issue? testaccount
When did your problem begin? No answer given
Please describe your problem. When trying to attach a .txt file, I receive the error "The upload was rejected because the uploaded file was identified as a possible attack vector."

All necessary options to allow users to attach .txt files are set in the ACP, yet I receive this error, and I cannot attach the .txt file.
Generated by SRT Generator ($Rev: 4502 $)

AdamR · Post by **AdamR** » Tue Nov 02, 2010 3:04 am

Can you try uploading that same file here?

- Adam

ZeroKnight · Post by **ZeroKnight** » Tue Nov 02, 2010 4:27 am

I can't even upload it here. I get the same error.

I read elsewhere that having HTML in the file is what's throwing the error.
The contents are a template for uploaders to follow, and in variable fields, I notated what should belong with angle brackets. <>

So if I had to guess, it's seeing the angle brackets and thinking it's HTML.
Is there a way I can disable this check for .txt files? It seems rather silly that it even checks .txt files at all, considering that .txt files can't execute anything themselves, they can't really be malicious.

AdamR · Post by **AdamR** » Tue Nov 02, 2010 4:42 am

If you have access to phpMyAdmin, run the following query on the database:

Code: Select all

SELECT config_value FROM phpbb_config WHERE config_name= 'mime_triggers';

Post the result back here.

- Adam

narqelion · Post by **narqelion** » Tue Nov 02, 2010 5:32 am

ZeroKnight wrote:I can't even upload it here. I get the same error.

Have you tried other .txt files to see if the problem is specific to the one file or all files? I ask because using your test account I was able to upload various .txt files to your board all created with different editors and different content without any error. Can you zip the file in question and attach it here, I'd like to look at it.

ZeroKnight · Post by **ZeroKnight** » Tue Nov 02, 2010 6:27 am

AdamR wrote:If you have access to phpMyAdmin, run the following query on the database:
Code: Select all
SELECT config_value FROM phpbb_config WHERE config_name= 'mime_triggers';
Post the result back here.

- Adam

I don't know how to show you it exactly, but it returned a config_value

Code: Select all

body|head|html|img|plaintext|a href|pre|script|table|title

narqelion wrote:
ZeroKnight wrote:I can't even upload it here. I get the same error.
Have you tried other .txt files to see if the problem is specific to the one file or all files? I ask because using your test account I was able to upload various .txt files to your board all created with different editors and different content without any error. Can you zip the file in question and attach it here, I'd like to look at it.

Haven't tried others, but if you got yours to work then I'll take your word for it.
Here it is:

annoyingtxt.zip: (611 Bytes) Downloaded 22 times

AmigoJack · Post by **AmigoJack** » Tue Nov 02, 2010 6:43 am

ZeroKnight wrote:Haven't tried others, but if you got yours to work then I'll take your word for it.
Here it is:
annoyingtxt.zip

It's <title as the one and only reason why your file is rejected. Either modify your mime_triggers dataset in the database table, or make sure HTML(like) tags are not within the first 256 bytes of a file.

ZeroKnight · Post by **ZeroKnight** » Tue Nov 02, 2010 8:06 am

I removed all of what was in "config_value" and tried uploading the .txt file again, but I still got slapped with the error.

Sure is persistent :/

AmigoJack · Post by **AmigoJack** » Tue Nov 02, 2010 8:24 am

ZeroKnight wrote:I removed all of what was in "config_value"

ZeroKnight · Post by **ZeroKnight** » Tue Nov 02, 2010 9:19 am

I understand what you said. I didn't want ANY HTML(like) tags setting off that alert. Which is why I removed them all. It's pretty pointless to reject a .txt file for having HTML(like) tags if it can't do anything anyway.
It's a bit of an overprotective measure. Plus, if removing all of them didn't solve the problem, why would removing one help?

AmigoJack · Post by **AmigoJack** » Tue Nov 02, 2010 9:36 am

ZeroKnight wrote:It's pretty pointless to reject a .txt file for having HTML(like) tags if it can't do anything anyway.

...as long as you think it will always be interpreted as a text. Just think of it like "what if I upload filename.txt which really contains executable code - when does it get interpreted by the server?" Setting the configuration text to empty triggers a bug, that's all.

Also: did you forgot the first 256 bytes I mentioned? So either add enough text to the top or (if you really want to never check for HTML-like text) modify the configuration to something like nowthistextwouldneverbefound i hope.

Erik Frèrejean · Post by **Erik Frèrejean** » Tue Nov 02, 2010 11:25 am

ZeroKnight wrote:I understand what you said. I didn't want ANY HTML(like) tags setting off that alert.

Yes you want that to happen if the HTML is in the first 256 bytes of the attachment. Have a look at this blog post if you are convinced that you don't need that.

ZeroKnight · Post by **ZeroKnight** » Wed Nov 03, 2010 7:43 pm

Okay, so the only reason this mime-sniffing "feature" is here, is because the [sarcasm]completely-security-hole-free IE[/sarcasm] can't tell the difference between .html and any other file extensions? When every other browser can?

If people coming to my board are stupid enough to be using that hellish browser, and just so happen to download/view a "malicious" attachment, it's not my fault.
Assuming they can even make their way to my board without being affected by some other security hole.

And BTW, 256 bytes in a .txt document are 256 characters. So I'd have to have 256 useless characters. Which wont work, considering it's a template, used to speed up the uploading post process. Having 256 crap characters kinda kills a quick Copypasta, don't you think?

So. In regards to my choices, may I please have an answer on how to disable mime-sniffing?
I don't think that's such an unreasonable request.