In Dolphin 7, a new security feature was added called PHPIDS. This feature is to assist in blocking common attacks to your Dolphin website. Some of these attacks blocked are (but not limited to):

- Description: finds html breaking injections including whitespace attacks
- Description: finds attribute breaking injections including whitespace attacks
- Description: finds malicious attribute injection attempts
- Description: Detects obfuscated script tags and XML wrapped HTML
- Description: Detects common comment types
- Description: Detects comments to exploit firefox' faulty rendering and proprietary opera attacks
- Description: Detects possibly malicious html elements including some attributes
- Description: Detects classic SQL injection probings 2/2
- Description: Detects basic XSS DoS attempts
- Description: finds attribute breaking injections including obfuscated attributes

Unity Members here starting discovering that simple things that we were doing as Site Admins, such as adding HTML code to a HTML block, were causing these emails to be sent and possibly blocking your access to your site. With the many reports to the forums of this issue, below are the known ways to resolve the issue from getting these Possible Security Attack! messages.

First Option:

Navigate to your Admin Panel>Settings> Advanced Settings> Other

There you will notice to available entries to edit:

1) Total security impact threshold to send report: (This is the impact level defined to trigger an email sent to you)

2) Total security impact threshold to send report and block aggressor: (This is the impact level defined to trigger an email AND block access to your website)

You can adjust these levels to ANY HIGHER value based upon the Total Impact: number you received in the email alert.

Example: If you receive an Possible Security Attack email with a Total Impact level of 25, you can RAISE the current level in the Total security impact threshold to send report: to 26 in order to stop receiving email from attacks on impact levels of 25 or below. Same rules apply with the 2nd impact level setting.

Second Option:

Navigate to your Admin Panel>Settings> Advanced Settings> Other

replace the current impact level values to a -1  (negative 1) for both of the following

1) Total security impact threshold to send report: (This is the impact level defined to trigger an email sent to you)

2) Total security impact threshold to send report and block aggressor: (This is the impact level defined to trigger an email AND block access to your website)

Doing the Second Option will completely disable PHPIDS and you will no longer receive Possible Security Attack messages OR risk being blocked from your site. *** By disabling PHPIDS, you understand that your site could be a risk for an actual attack.

Hope this helps everyone understand better.

Chris

That accually explained a lot more than I thought, we always look for the simplest solution without even understanding the results.

I had like a lot others just set my settings at-1, but it seems that I should of set my settings a little higher maybe instead.

I play around with it, thanks Zarcon for clearing that up a little!:)

Derrick

Could you tell me what is the desired level to allow post youtube videos in articles module? intending it's only for administrators use

Thanks Zarcon....i was stuck & didnt know what to do....u'r advice helped

It sent me almost 2000 emails today, after I added correct bugreport address. hehe.

This page is where just about all of them happened:
SCRIPT_FILENAME: /var/www/sexdate.no/htdocs/flash/XML.php

And here is some example info:

Total impact: 18
Affected tags: xss, csrf, id, rfe

Variable: REQUEST.pA_c.p | Value: S7QysqoutjI0s1IqyChwTCmOT04EUtGGprFK1olQSSulMiXrTCszazA7FcQ2NDIzMTe3NDExtq7Fpt0EU7shinZTA2MzAxNDC+vaWgA=
Impact: 9 | Tags: xss, csrf, id, rfe
Description: Detects obfuscated JavaScript script injections | Tags: xss, csrf | ID: 25
Description: Detects common XSS concatenation patterns 2/2 | Tags: xss, csrf, id, rfe | ID: 31

Had to increase the numbers earlier today, glad to find a post with more info.

Seems it did not like this users info. Is it not just an encrypted userpass or is there an actual script tag in there or something?

(perhaps randomly generated script tags :)

Moderators here get the security warning message often when saving profile text. (does it not like smileys or what :))

Maybe needs some exceptions and not just higher threshold.
mod_security solves this nicely also, so might try to disable this built in IDS if emails continue.
(no problems in d7 so far, but lots of attempts on older bugs in d6. Search access logs for: txt?   shows most of the rfi attempts)

Edit: Got a more precise one from when support approved profiles..

Variable: REQUEST.DescriptionMe.0 | Value: <p>Kanskje finnes det en frøken eller frue som vil hjelpe meg med mine syndige drømmer. <img title=\"Laughing\" src=\"http://sexdate.no/plugins/tiny_mce/plugins/emotions/img/smiley-laughing.gif\" border=\"0\" alt=\"Laughing\" /></p>
Impact: 13 | Tags: xss, csrf
Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1
Description: Detects JavaScript location/document property access and window access obfuscation | Tags: xss, csrf | ID: 23
Description: finds attribute breaking injections including obfuscated attributes | Tags: xss, csrf | ID: 68

Seems to not like that Smiley-Laughing tag :)   (also tripped on encrypted password in cookie, so this scored 44 - just over my increased threshold, so combining many trivial scores is not so good here it seems)

--

Alright, thanks for pointing out this was called phpids (php-ids.org)

Default config file is said to be config.ini
Here is the path on dolphin7:
plugins/phpids/IDS/Config/Config.ini

and then regex filters,
plugins/phpids/IDS/default_filter.xml


Think I'll just decrease the impact of some of the regexes for now, like the one that cathed smileys :)
It seems like a nice IDS script though :)

Thank's Zarcon

Perfect solution. Thanks so much :)

Zarcon, how does this apply for 7.0.2?

7.0.2 comes with PHPIDS disabled by default. The values are already set to -1 so it does not apply at all. You can see this in the Admin Panel> Settings>Advanced Settings>Security

The same. But they should have been automatically disabled (set to -1) during the install of 7.0.2 which disabled is now the default.

Arg. Did not type fast enough. LOL.

Nah Nah Nah boo boo stick your face in doo doo.. lol

Is that the same thing that cuts your code apart?  Is it not possible to do what the admin wants at -1 -1 then choose to return to the security settings later if you want?

The code-cutting is done by HTMLPurifier, not PHPIDS.

and what is a good setting? I started at 5, increased to 25 for sending reports, and still get this with level 32 around every second:

Total impact: 32
Affected tags: xss, csrf, id, rfe, sqli, lfi

Variable: COOKIE._pk_ref_8_a443 | Value: [\"\",\"\",1304170626,\"http://www.gmxattachments.net/de/cgi/g.fcgi/mail/print/fullhtml?mid=babgebhh.1304102306.641.b500ahqysy.73&type=full\"]
Impact: 32 | Tags: xss, csrf, id, rfe, sqli, lfi
Description: Detects JavaScript with(), ternary operators and XML predicate attacks | Tags: xss, csrf | ID: 7
Description: Detects self-executing JavaScript functions | Tags: xss, csrf | ID: 8
Description: Detects basic obfuscated JavaScript script injections | Tags: xss, csrf | ID: 24
Description: Detects common XSS concatenation patterns 1/2 | Tags: xss, csrf, id, rfe | ID: 30
Description: Detects classic SQL injection probings 2/2 | Tags: sqli, id, lfi | ID: 43
Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID: 67
Centrifuge detection data  Threshold: ---  Ratio: ---  Converted: ((++::

REMOTE_ADDR: 77.190.77.72
HTTP_X_FORWARDED_FOR:
HTTP_CLIENT_IP:
SCRIPT_FILENAME: /var/www/vhosts/XXXX.com/httpdocs/modules/index.php
QUERY_STRING: r=simple_messenger/get_operation/new_messages&_r=0.5641540063949156&registered_chat_boxes=
REQUEST_URI: /modules/?r=simple_messenger/get_operation/new_messages&_r=0.5641540063949156&registered_chat_boxes=
QUERY_STRING: r=simple_messenger/get_operation/new_messages&_r=0.5641540063949156&registered_chat_boxes=
SCRIPT_NAME: /modules/index.php
PHP_SELF: /modules/index.php

it looks like the simple messenger pulls some data, but I honestly can't decide what to set the level :(

A good setting is -1. Thats negative 1 for both. Which disables it.

Dolphin ships with it off now for the last couple of versions. It is broken. You should not have it enabled.

Now you have me confused, Zarcon recommends it if I understand it correctly, you say it doesn't work at all.... so what???

I did not say it does not work at all. I said it's broken. In this case i mean it's not accurate. Way to many false positives to make it useful.

That post is also a year old. Made before dolphin disabled it by default. Disabling it is now what most of us recommend.

Ok, now you got me again, indeed its 2010 :D I just saw it on top of the forum and read March, 11th... so its old :)

I have it enabled now with a rating of 40 and it seems to work pretty well now, 37 was the last wrong negative impact, and I still get (blocked) attacks from severals sites with 100% spam.

and it stopped my spam attacks, I have not one spam profile for two days now...

I changed it once and turned back to -1, but now it recognizes 0 or something like this, thus, the site isn't anything than an anti-attack mechanism. I can't reach the admin-panel. Where do I find the option in the database?

so does that all mean its nothing serious when getting notified like:

Total impact: 5<br/>
Affected tags: xss, csrf<br/>
<br/>
Variable: COOKIE.memberSession | Value:
whnrb&amp;Hqp3YzE=7=DeMCa23NtPX5ch3b<br/>
Impact: 5 | Tags: xss, csrf<br/>
Description: Detects JavaScript location/document
property access and window access obfuscation |
Tags: xss, csrf | ID: 23<br/>
<br/>
REMOTE_ADDR: 71.228.251.50
HTTP_X_FORWARDED_FOR:
HTTP_CLIENT_IP:
SCRIPT_FILENAME:
/xxxxx/xxxxxxx/public_html/modules/index.php
QUERY_STRING:
r=photos/get_image/browse/ea567786d4b72317f4016d12a773c628.jpg
REQUEST_URI:
/m/photos/get_image/browse/ea567786d4b72317f4016d12a773c628.jpg
QUERY_STRING:
r=photos/get_image/browse/ea567786d4b72317f4016d12a773c628.jpg
SCRIPT_NAME: /modules/index.php
PHP_SELF: /modules/index.php

my settings at admin are -1