Since version 6.x-1.10 of Lightbox2 I get for every page request on Drupal 6 sites with Lightbox2 installed this impact 14 warning:
Location http://www.example.com/system/lightbox2/filter-xss
Doorverwijzer http://www.example.com/any_node

Message Total impact: 14
All tags: xss, csrf, id, rfe, lfi
Variable: q | Value: system/lightbox2/filter-xss
Impact: 7 | Tags: xss, csrf, id, rfe, lfi

* Rule: (?:\({2,}\+{2,}:{2,})|(?:\({2,}\+{2,}:+)|(?:\({3,}\++:{2,})|(?:\$\[!!!\])
Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection
Tags: xss, csrf, id, rfe, lfi

Variable: string | Value: 2004 Donderdag
 
Impact: 7 | Tags: xss, csrf, id, rfe, lfi

* Rule: (?:\({2,}\+{2,}:{2,})|(?:\({2,}\+{2,}:+)|(?:\({3,}\++:{2,})|(?:\$\[!!!\])
Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection
Tags: xss, csrf, id, rfe, lfi

From issue http://drupal.org/node/921684 I understand "system/lightbox2/filter-xss" is not a regular address but an internal "url: Drupal.settings.basePath + 'system/lightbox2/filter-xss',".

How can I get rid of these warnings?

Thanks for your help.

Comments

promes’s picture

promes
Primary language Dutch
commented
Status: Active » Closed (cannot reproduce)

I think it is a problem in Lightbox2. I just installed the latest version of Lightbox2 of today and the problem seems to be disappeared.
Sorry to bother you.

promes’s picture

promes
Primary language Dutch
commented
Status: Closed (cannot reproduce) » Active

I hoped the problem was solved by the new Lighbox2 version. I also have it in with PHPIDS 5.x-3.x-dev with the same PHPIDS library.

Can you give me a hint how to get rid of this message?

narongwit12’s picture

narongwit12 commented

I experience the same problem here even with 6.x-1.11.
Anyone could kindly provide the solutions?

Best regards

R2-D8’s picture

R2-D8 commented

Same problem here.
My temporary solution:

I disabled the image page link:

  1. Go to /admin/settings/lightbox2
  2. Remove any content from the "Text for image page link:"-input
  3. Save

Works for me; but a real solution is still needed!

morenstrat’s picture

morenstrat
he/him
Primary language German
Location Bochum, Germany
commented

Seems like Lightbox2 sends a POST request in order to pass the image caption to the images. The caption is passed in a variable named 'string' and might contain HTML code. So, by adding 'string' (without the quotation marks) to the HTML fields in the PHPIDS settings, you should get rid of these warnings.

promes’s picture

promes
Primary language Dutch
commented

Thanks dunix@gmx.de.
I put "string" in the HTML fields and the impact still is 14.
When I put "string" both in the HTML fields and excluded fields it reduces the impact from 14 to 7. But still there is a warning on variable q.
When I put q also in the HTML fields I get a PHP error:
preg_replace() [function.preg-replace]: Compilation failed: support for \P, \p, and \X has not been compiled at offset 1 in /...../sites/all/libraries/phpids-0.6.5/lib/IDS/Monitor.php on line 460.

When I put both "string" and "q" in both fields I still have an impact 7 and the PHP error.
When I put both "string" in the HTML and the excluded fields and "q" only in excluded fields, I don't get an error anymore.

But I hesitate to put "q" in excluded fields. I think it will stop PHPIDS alltogether. Is this correct Gos77?

patrickd’s picture

patrickd commented
Version: 6.x-1.11 » 7.x-2.x-dev
Status: Active » Postponed

Thanks we'll have a look at this issue when 7.x-2.x is ready