Ninja Firewall blocking Admin user uploads

Hi,

Did you check if there was any warning or error message displayed in NinjaFirewall “Overview” page?

Thank you.

Nothing in the Ninja Overview page, which also shows that I am whitelisted.

On the upload page, I am shown the there’s a http error, which is consistent with Ninja rejecting the file.

When I change the policies setting to allow uploads, it all works, but my understanding is that it should work for me, as the admin, regardless.

Here’s the relevant log entries from a further test I just performed, using a different IP address than yesterday.

01/Dec/15 06:46:37 #4282411 critical - x.x.x.x POST /wp-admin/async-upload.php - Blocked file upload attempt - [DSC_1029_test.jpg, 81,446 bytes] - jazznblues.com.au

After changing the policies uploads setting …

01/Dec/15 06:51:52 #3279543 upload - x.x.x.x POST /wp-admin/async-upload.php - Allowing file upload - [DSC_1029_test.jpg, 81,446 bytes] - jazznblues.com.au

I have screen shots of the relevant screens if you need to see them.

When you uploaded those files, were you the superadmin or the admin?

As noted above, I am the only user, so I am both the superadmin and the admin

You can’t be both the superadmin and admin at the same time ??

Create a PHP file with the following code, upload it to your WP main folder. Then log in to the WP dashboard where you tried to upload a file and, from the same browser, go to http:/ /yoursite/thisscript.php and paste here the script output:

<?php
if (! session_id() ) {
   session_start();
   echo 'Starting session.<br />';
} else {
   echo 'Session was already started.<br />';
}
echo 'Checking "nfw_goodguy" session flag: ';
if ( empty($_SESSION['nfw_goodguy'])) {
   echo ' ERROR: not found.';
} else {
   echo ' OK, found it.';
}
?>

Script output is

`Session was already started.
Checking “nfw_goodguy” session flag: ERROR: not found.’

For my main site, it shows me as superadmin, for the site in question – a sub-site – it says admin.

But there is just the one user only – me – with just the one login id and password

There is a PHP session issue.
I assume the problem may come from the fact that you only have that surperadmin user, and not a superadmin for the main site + an admin user for each site in your network.
I will make a test later today and will try to reproduce the issue.

Thank you. I look forward to your further results.

The problem is that your user name probably does not appear in the WordPress “Users” page of the site where you are logged in. When you log in to that site, you should receive a similar alert from NinjaFirewall:

Someone just logged in to your WordPress admin console:

-User : YOUR_USER_NAME (not in users list)

The “not in users list” message, indicates you aren’t in the users list of that site. Therefore, you aren’t whitelisted.

You would need go to the “Users” page and to add yourself to that list, or to create a different admin account for that site.
Otherwise, you will need to allow uploads. And also if you edit a post or need to do some admin tasks, you could be blocked by the firewall.
This, of course, does not apply when you are logged in to the main site where you are correctly detected as the superadmin.

That doesn’t seem to be the case. When I look at the users page for the primary site, I see my name as a user, listed as superadmin.

When I switch to the secondary site, I see my name on the users’ page, listed as a site admin.

I receive no such warning about a user “not in users list”. I presume that such an event would be in the logs, but there’s no such entry either.

There is something wrong with your multisite setup but it will be hard to guess where the problem comes from.
Can you try the following tests:
Test #1:
1. Log in to the main site, go to the firewall “Event Notifications” page and enable “Send me an alert whenever > Someone – user, admin, editor, etc – logs in”.
2. Log out.
3. Log in to the child site and check your mailbox. Did you receive the firewall login alert? If you did, is it written you are an admin or a user?

Test #2:
1. Log in to the child site.
2. Create another admin user.
3. Log out and then, log in using that new admin name
4. Check if you are whitelisted, either by uploading a file or using the PHP test script mentioned in that discussion, and also check whether you received the email alert.

Test #1.
Notifications were already set as described. Logged out. Logged in. No email received.

Test #2
Logged in to child site, created a new user as admin.
Logged out.
Logged in as new user; no email received.
Unable to upload file; script response below.

Session was already started.
Checking "nfw_goodguy" session flag: ERROR: not found.

Just logged back in to main site. Email received …

Someone just logged in to your WordPress admin console:

-User : gstark (administrator)
-IP   : x.x.x.x
-Date : December 1, 2015 @ 12:34:57 (UTC +1100)
-Blog : https://multi.redbacksweb.com/

NinjaFirewall (WP Edition) - https://ninjafirewall.com/
Support forum: https://www.ads-software.com/support/plugin/ninjafirewall

Both users now shown in users list.

These are the two relevant lines from the log …

01/Dec/15 23:29:26  #5624199  critical     -  x.x.x.x    POST /wp-admin/async-upload.php - Blocked file upload attempt - [DSC_0013_small.jpg, 98,762 bytes] - jazznblues.com.au
01/Dec/15 23:34:57  #6234808  info         -  x.x.x.x    POST /wp-login.php - Logged in user - [gstark (administrator)] - multi.redbacksweb.com

Oh, if I allow uploads, what are the downsides of that setting?

Am I still protected from other upload attempts from non-logged-in users?

If you allow uploads, it will apply to anyone. But as long as you don’t have a script allowing anyone to upload files, you will be fine.