uploaded images zero bytes/forged requests

[Jennifer S]

I am stuck. Seven days ago, something changed such that when users try to upload images to my PW site, the images are posted to the page, but they show up as zero bytes. The folder is created in the files folder, the image name is recorded, the type of file is recorded, but the byte size is zero. 

When I looked into the problem this morning, I received the "This request was aborted because it appears to be forged." message whenever I tried to upload images. Turning off protectCSRF in the config file suppresses the aborted image message and now I just get the zero-byte image bug, but I don't know why.

I've checked permissions on the files directory, changed it recursively to 777 and then back to 755 with no change. I checked that I have active sessions, logs, and cache folders. I checked on the permissions of the config.php file. I changed the sessionName, and turned off the challenge and fingerprint functions but nothing is budging. 

I installed a new PW site yesterday and so I keep thinking something is colliding but it looks like the images have been failing to write to the files directory for the last week.

I'm getting the same results in multiple browsers after any number of cache-clears so I don't think it is client-side. 

This is a look at the PHPinfo for the site.

Best wishes,

J

[kongondo]

Hi J,

Maybe not a great idea to share your PHPInfo publicly? In itself, it may not be an issue, but if there was another vulnerability in your system (am not saying PW has a vulnerability; but other systems in your setup might) .....the less info u offer for free the better

Edited July 9, 2013 by kongondo

[horst]

 I am stuck. Seven days ago, something changed such that when users try to upload images to my PW site, the images are posted to the page, but they show up as zero bytes. The folder is created in the files folder, the image name is recorded, the type of file is recorded, but the byte size is zero. 

This definetly sounds to some sort of filesystem permission.

Have you turned debug on and there are error-logs? Do you have a look into Browser-Console (JS, Network), because upload is ajax-based.

When I looked into the problem this morning, I received the "This request was aborted because it appears to be forged." message whenever I tried to upload images.

sounds like filesystem permission too! (Session-files)

You also need to check Apache logs. Has the server software changed 7 days ago? Or if it is a hosted account, was the account moved?

----

Also, don't know if it is relevant here, you have in PHP-settings upload_max_filesize 2M and post_max_size 8M, - not that much.

[Jennifer S]

That's a good idea to check the JS console when trying to upload images. It shows the right file size briefly after I drag it in the box but when the sub-box is finished being animated and displayed, the file size shows as zero. I'm not seeing anything show up in the console, though.

I've emailed my server admins and asked if anything has changed in the last 7 to 10 days. PHP was updated about two weeks ago, apparently. I described the problem as the system throwing error messages relating to cross-site request forgery protection -- it seems to be having trouble getting HTTP_SERVER tokens to match across the system -- but I really don't know if that's what the real problem is.

Whatever happens, I am sure to learn something! Thanks for the comments.

J

p.s. Line 92 of ImageSizer.php has a typo: "recogized" instead of "recognized"

[Jennifer S]

Hi. Looks like the problem was with my account being over quota. Sorry for the spam.

Message to others: file writes failing? Check your disk space!