Hi Team,

I have a strange one, I have been getting a couple of customers trying to upload PDF files to a website via the KCFinder module, and when they do they get a 403 Error I have asked them to send me the file, and I get the same error when i try to upload.

If I resave the file in Adobe Acrobat and upload again it uploads fine. Any ideas on why this would happen.

I have included a download link below to test on another installation. (Can't upload to forum as PDF)
https://we.tl/t-YpjPamk6Fw

Menu.pdf (Adobe Acrobat Saved Version)
Menu2.pdf (Clients Version, will not upload)

[KK]

Hi,

I tried uploading both the attached PDFs, to two different servers, and encountered no trouble at all in the process.

I suspect there is some security mod active on your particular server (e.g. suhosin etc.) that is freaking out on certain contents of the PDFs. Please try approaching your hosting provider and see if they'd be willing to tweak some security rules for you.

Hi KK,

Thanks for the reply. My host was able to help, but for reference this is the error getting thrown up by modsecurity. A little weird.

Code: Select all

Sep 27 09:22:42 httpd [modsecurity] [Wed Sep 27 09:22:35.801716 2023] [error] [client XX.XX.XX.XX] ModSecurity: Access denied with code 403, [Rule: 'REQUEST_BODY|REQUEST_URI|XML:/*' '(?:define|fgets|strrev|move_uploaded_file|readfile|ftp_put|ftp_fget|gzencode|ftp_nb_put|bzopen|readdir|gzread|fopen|ftp_nb_f(put|get)|ftp_get|scandir|fscanf|readgzfile|fread|proc_open|fgetc|fgetss|ftp_fput|ftp_nb_get|session_start|fwrite|gzwrite|gzopen|gzcompress|curl_multi_exec|curl_exec|eval|create_function|base64_decode|base64_url_decode|decode_base64|str_rot13|php_uname|file_get_contents|include|require|require_once|parse_ini_file|set|shell_exec|popen|ini_(?:get|restore)|safe_mode|phpinfo|system|exec|passthru|serialize|include|php_uname|preg_\w+|execute|gz(?:inflate|decode|uncompress)|zlib_\w+) ?[\"\(@]'] [id "383023"] [rev "6"] [msg "Atomicorp.com WAF Rules: Potentially malicious PHP code injection attempt - base64 encoded"] [logdata ""] [severity "CRITICAL"] 

Mod sec rule ID triggered from your IP address - [id "383023"]

And this is the information about the rule below:
https://docs.atomicorp.com/rules/waf/11_asl_adv_rules.conf.html#waf-rule-id-383023

[KK]

Thanks for keeping us posted.
False positives are common with all security mods, unfortunately.