Unable to post a comment with attachment

@frank5, @julien3, @stefan.rohlfing, @pieterjan.


Support have responded to this, specifically in agreement with @floripare,


This is not a paste of their reply…

  • The vulnerability that this rule is mitigating is:
    Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress before 4.2.1 allows remote attackers to inject arbitrary web script or HTML via a long comment that is improperly stored because of limitations on the MySQL TEXT data type.

  • Free plan users can’t disable this rule without upgrading and given that it is not an issue with WordPress’ core function, it is unlikely that this rule will be modified.

  • The rules active on the free plan are to protect against specific vulnerabilities, as explained in this blog post, this rule is not mentioned, but the principle is similar.

  • It is not recommended to disable this rule even on a higher plan due to the vulnerability that it is protecting from.

4 Likes

:wave: @domjh,

But I want to shoot myself in the foot, why won’t Cloudflare let me shoot myself in the foot? Just because CV in the rule description means Critical Vulnerability

I’d recommend uninstalling plugins until you get to a point where this WAF rule isn’t triggered. Barring that, there are probably a ton of other CDNs who will let you shoot yourself in the foot for free (or next to it) if that’s what you are into.

-OG

1 Like

Hi @OliverGrant,

Yes, yes and yes!

I think it is specifically the plugin to allow for images uploaded to comments, in this case, that causes this, but in general, yes!

1 Like

@domjh Thanks for your thorough follow-up.
I am also using the Comment Attachment plugin, didn’t know it was closed by wordpress.org. But if this vulnerability only applies to WordPress before 4.2.1, why do we still need this WAF rule?
The fact that another plugin (DCO Comment Attachment) has the same issue makes me wonder: is there something intrinsically dangerous in letting users upload images? Or would it be possible to write an image upload plugin that avoids the vulnerability, as @floripare suggests?

On reading through this thread I had the same question. What are the steps plugin developers must take to allow the upload of images in a way that doesn’t trigger this WAF rule?

This is the plugin I have installed: https://codecanyon.net/item/woocommerce-photo-reviews/21245349 It collects photo reviews from customers, but without the ability to upload images it’s pretty worthless.

I’m on the free plan and therefore cannot manage any firewall rules. But I really hope there’s a solution to this problem even for those currently on the free plan.

Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress before 4.2.1 […]

Does the rule check the WordPress version installed to make sure it only runs on sites up to version 4.2.1?

I have a Wordpress installation with version 5.2.2 and the rule is still firing. I don’t use the plugin but made a function for this without vulnerability.

It seems that this rule is always firing and not checking WordPress version nr what gives issues here.
There is now no possibly to upload images to wp-comments-post.php.

The response marked as the solution is as far as we can help you in this thread. Though I’m curious as to how it used to work for @frank5 before.

It’s deliberately set by Cloudflare, so you would have to contact them for more detailed assistance:
Login to Cloudflare and then contact Cloudflare Support by clicking on the Get More Help button.

1 Like

I created Request #1741534 three days ago, but I haven’t heard back from them yet.

@sdayman, I am also curious why this was working before. But it was, I am sure of that. I suppose CloudFlare recently activated or changed this rule on Free accounts.

2 Likes

@frank5 Yes me too, can you send an update when you hear anything from the support request?

I wouldn’t be surprised. As they monitor web traffic for millions of web properties, I’d expect them to apply certain rules more widely as whatever these rules protect become the object of widespread attack attempts.

I doubt Cloudflare will provide much information on that front, as of course one of the tenets of web security (and security in general) is that you don’t completely reveal your protections, otherwise you’d be making the life of criminals a lot easier.

I’d like to follow the request you posted. Could you paste the link here? I did a Google search but couldn’t find it.

You can try this link, but I think requests are private to each account.
https://support.cloudflare.com/hc/en-us/requests/1741534

I got the same problem to allow users upload pictures,so did you guys find solution now?

I am working with CloudFlare support. They’re asking me to do something to isolate the problem. That will take me a few days. When I have a definite answer, I will post it here.

1 Like

I have the same problem here. Still not know how to fix it

If you pause Cloudflare, are you still seeing the issue? How do I temporarily deactivate Cloudflare?

If the issue persists after Cloudflare has been paused, it means that there is an issue with your origin, since Cloudflare is only operating as your DNS provider while it is paused.

You can set a Page Rule to exclude the admin section of your CMS from Cloudflare. Guide here for wordpress, https://support.cloudflare.com/hc/en-us/articles/200169526-I-get-a-site-offline-error-message-when-updating-or-accessing-the-admin-section-of-my-content-management-system

That’s exactly what Cloudflare support suggested. But if I simply pause Cloudflare my site stops working because I rely on Cloudflare for SSL. So I need to change my test site to not require SSL, and I haven’t had time to do that yet.

1 Like

How long do I have to wait after temporarily disabling Cloudflare?

I waited for 10 minutes but then got the same error on form submission.

What I don’t understand is that this error message still came from Cloudflare (see bottom right corner):

If the issue persists after Cloudflare has been paused, it means that there is an issue with your origin, since Cloudflare is only operating as your DNS provider while paused.