Uploads through Dropzone.js return '403 forbidden' while other uploads don't

Question

I'm using TinyMCE with the file manager Responsive File Manager which includes DropZone.js. All attempts of uploading files through it fail and a 403 Forbidden error message is returned.

I've tried to change the url parameter to for example "index.php", and "/ui/scripts/libs/filemanager/upload_notexists.php". "index.php" and the original url value is reachable without error messages if I type them in the address bar. The "notexists" url returns a 404 error as it should as it doesnt exist. Uploading always returns 403 Forbidden regardless of url.

I've tried to set forceFallback: true and method: "post"/method: "put". It still returns 403 Forbidden.

This is the code initializing DropZone.js:

var allowed_ext = new Array('jpg','jpeg','png','gif','bmp','tiff','svg','doc','docx','rtf','pdf','xls','xlsx','txt','csv','html','xhtml','psd','sql','log','fla','xml','ade','adp','mdb','accdb','ppt','pptx','odt','ots','ott','odb','odg','otp','otg','odf','ods','odp','css','ai','zip','rar','gz','tar','iso','dmg','mov','mpeg','mp4','avi','mpg','wma','flv','webm','mp3','m4a','ac3','aiff','mid','ogg','wav');

//dropzone config
Dropzone.options.myAwesomeDropzone = {
    dictInvalidFileType: "Filtypen är ej tillåten.",
    dictFileTooBig: "Den uppladdade filen överskrider max storleken.",
    dictResponseError: "SERVER ERROR",
    paramName: "file", // The name that will be used to transfer the file
    maxFilesize: 100, // MB
    url: "http://subdomain.example.com/ui/scripts/libs/filemanager/upload.php",
    //url: "http://subdomain.example.com/index.php",
    accept: function(file, done) {
        var extension=file.name.split('.').pop();
        extension=extension.toLowerCase();
        if ($.inArray(extension, allowed_ext) > -1) {
            done();
        }
        else { 
            done("Filtypen är ej tillåten."); 
        }
    },
    //forceFallback: true,
    //method: "post"
};

I've tried with small < 1 kb images as well as multiple bigger.

I've also tested uploading with this basic code, which works:

<form method="post" enctype="multipart/form-data">
    Fil: <input type="file" name="filer[]" multiple>
    <br>
    <input type="submit">
</form>

Here is the Core section of phpinfo():

CorePHP Version     5.3.28 

Directive   Local Value Master Value
allow_call_time_pass_reference  On  On
allow_url_fopen On  On
allow_url_include   Off Off
always_populate_raw_post_data   Off Off
arg_separator.input &   &
arg_separator.output    &   &
asp_tags    Off Off
auto_append_file    no value    no value
auto_globals_jit    On  On
auto_prepend_file   no value    no value
browscap    no value    no value
default_charset no value    no value
default_mimetype    text/html   text/html
define_syslog_variables Off Off
disable_classes no value    no value
disable_functions   link,symlink,exec,shell_exec,system,passthru    link,symlink,exec,shell_exec,system,passthru
display_errors  Off Off
display_startup_errors  Off Off
doc_root    no value    no value
docref_ext  no value    no value
docref_root no value    no value
enable_dl   Off Off
error_append_string no value    no value
error_log   /dev/null   /dev/null
error_prepend_string    no value    no value
error_reporting 30711   30711
exit_on_timeout Off Off
expose_php  Off Off
extension_dir   /usr/local/php53/lib/php/extensions/no-debug-non-zts-20090626   /usr/local/php53/lib/php/extensions/no-debug-non-zts-20090626
file_uploads    On  On
highlight.bg    #FFFFFF #FFFFFF
highlight.comment   #FF8000 #FF8000
highlight.default   #0000BB #0000BB
highlight.html  #000000 #000000
highlight.keyword   #007700 #007700
highlight.string    #DD0000 #DD0000
html_errors On  On
ignore_repeated_errors  Off Off
ignore_repeated_source  Off Off
ignore_user_abort   Off Off
implicit_flush  Off Off
include_path    .:/usr/local/lib/php    .:/usr/local/lib/php
log_errors  Off Off
log_errors_max_len  1024    1024
magic_quotes_gpc    Off Off
magic_quotes_runtime    Off Off
magic_quotes_sybase Off Off
mail.add_x_header   Off Off
mail.force_extra_parameters no value    no value
mail.log    no value    no value
max_execution_time  500 500
max_file_uploads    2000    2000
max_input_nesting_level 64  64
max_input_time  -1  -1
max_input_vars  8000    8000
memory_limit    512M    512M
open_basedir    no value    no value
output_buffering    1   1
output_handler  no value    no value
post_max_size   1600M   1600M
precision   12  12
realpath_cache_size 16K 16K
realpath_cache_ttl  120 120
register_argc_argv  On  On
register_globals    Off Off
register_long_arrays    On  On
report_memleaks On  On
report_zend_debug   On  On
request_order   no value    no value
safe_mode   Off Off
safe_mode_exec_dir  no value    no value
safe_mode_gid   Off Off
safe_mode_include_dir   no value    no value
sendmail_from   no value    no value
sendmail_path   /usr/sbin/sendmail -t -i    /usr/sbin/sendmail -t -i
serialize_precision 100 100
short_open_tag  On  On
SMTP    localhost   localhost
smtp_port   25  25
sql.safe_mode   Off Off
track_errors    Off Off
unserialize_callback_func   no value    no value
upload_max_filesize 800M    800M
upload_tmp_dir  no value    no value
user_dir    no value    no value
user_ini.cache_ttl  300 300
user_ini.filename   .user.ini   .user.ini
variables_order EGPCS   EGPCS
xmlrpc_error_number 0   0
xmlrpc_errors   Off Off
y2k_compliance  On  On
zend.enable_gc  On  On

Edit: I've managed to turn on error logging on my shared hosting. It shows nothing. :c (2014-07-15 18:48)

Try adding file encoding in your code. for example `image/jpeg` for jpg or jpeg; Logically the data sent/received to/from server encoding of data is always specified. — MarmiK, Jul 22 '14 at 12:41
Are you trying to upload from example.com to subdomain.example.com? A cross domain request won't work. — Khan, Jul 23 '14 at 22:45
You should really have a look at the requests using the tools available for your browser - Web Console in Firefox (click Net dropdown and make sure Log is checked) or Developer Tools in Chrome (Network tab). They allow you inspecting the request along with all request headers and you can compare to the basic form upload to see what the important difference is. — Wladimir Palant, Jul 24 '14 at 07:48

score 0 · Answer 1 · answered Jul 24 '14 at 15:12

0

Assuming your file is not uploaded and your URL is correct, it seems like the issue is linked to the Responsive File Manager files permissions (403 : Forbidden).

Check the owner of this files and .htaccess in parents directories.

answered Jul 24 '14 at 15:12

Franck Borschneck

1
1

score -1 · Accepted Answer · edited May 23 '17 at 12:11

-1

It seems that my shared hosting throws a 403 Forbidden for every POST data string which includes "/../". As a security feature...

When Responsive File Manager sends the upload data to upload.php it's also sends a config var which in my case were "../../files" and because of that the server throwed the 403 at me.

This SO answer got me believing this could be caused by mod_security, a firewall for apache/hosting environments. I've contacted my shared hosting and will update the answer when they respond.

edited May 23 '17 at 12:11

Community

1
1

answered Oct 03 '14 at 11:06

Jonas Äppelgran

2,617
26
30

Could it be that `/../` means go to the root dir and then try and go one directory further back ? Which is not possible – RiggsFolly Jan 02 '20 at 21:46

Uploads through Dropzone.js return '403 forbidden' while other uploads don't

2 Answers2