Oh no! Where's the JavaScript?
Your Web browser does not have JavaScript enabled or does not support JavaScript. Please enable JavaScript on your Web browser to properly view this Web site, or upgrade to a Web browser that does support JavaScript.
Sign In
Not a member yet? Click here to register.

pictures rejected because of possible "evil payload"


Print Track
I just got 2 pictures rejected that I tried to upload to my site.
Both pictures are portraits, and a part of a larger set.
Where can I manage the settings to avoid this in the future?

4 replies

There are no setting to toggle this. Images that are uploaded need to be unprocessed by 3d party programs that may add a header tags in the image code. There are many topics about this thru out our forums here.
It is standard .jpg pictures converted from raw in Adobe Lightroom.
This is the first time I experience this in PHP Fusion, and I start to consider if PHP Fusion is the right CMS for me.
I have used PHP-Fusion since version 6 and love the concept.
Safe image handling toggle off can be added in the next version. But this feature is a necessary one because of inline codes in images. To remove the embedded code in the image, you can use image processor software like Adobe Photoshop and save as .jpg again.
The problem with your image is that it does not pass the safety check due to possible payload embedded. ( Trojan if you will ) as mentioned.
When you open failed images that fail the check, you will find similar lines as the following,
CodeDownload  
<?xpacket begin="" id="W5M0MpCehiHzreSzNTczkc9d"?>



PHP-Fusion do not allow any payloads of any kind to be embedded in image uploads. There are really no way around this one since anyone can attach any script in an Avatar or forum attachment etc.

If our MIME check fail for some reason it can be disabled via the 9 Settings. But this image verify safety check is standard, payloads have nothing to do in images.
You need to make sure that images are clean.
Many sites have been hacked using this method, that is why it is required and it has been so since at least late PHP-Fusion 6.
A reason that some images start to fail for you now might be that you use new or upgraded programs that add codes to your images that you are not yet aware of.

To be extra specific, In order for our safety checks to be efficient to a wide range of possible attacks we need to search and reject all types of <? and eval(), since your image contain php code it is rejected by Core , default.

See if you can turn off any ID or xml identification injections to images you post process before uploading to your system.
author iceman50
forumContent Administration - 9
replies5 posts
viewed351 times
activeLast updated on 5 months ago
You can view all discussion threads in this forum.
You cannot set up a bounty in this discussion thread.
You can start a new discussion thread in this forum.
You cannot reply in this discussion thread.
You cannot start on a poll in this forum.
You cannot upload attachments in this forum.
You can download attachments in this forum.
You cannot up or down-vote on the post in this discussion thread.
Users who participated in discussion: Falk, Chan, iceman50