P.A must be solved !

This possible attack is preventing me from adding a Facebook widget to my site also it does lock me out side of my site and also it affect the username and password as i can't log in . the only way i can access to my site is replacing the BXDOLEMAILTEMPLATES.php in INI----> Classes by a new one , and this possible attack it has nothing to do with firefox or internet explorer as it does show in both of them :

step by step :

1- gone to language created _Facebook Fan and i did put the string language for it Facebook Fan .

2- Back to page builder choosed HOMEPAGE ----> Html Block -----> changed it to _Facebook Fan and i had Facebook fan .

3- I did put this script : ( Facebook Fan widget script ) in the blank area for the html block :

<script type="text/javascript" src="http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php/en_GB"></script><script type="text/javascript">FB.init("a707eb03c91f5dcaf6771d351177b05a");</script><fb:fan profile_id="191603651353" stream="" connections="10" width="300"></fb:fan><div style="font-size:8px; padding-left:10px"><a href="http://www.facebook.com/apps/application.php?id=191603651353">The Moroccan Community Project on Facebook</a> </div>

When i did back to the main home page to check it :

I find a huge----> Possible attack!!! All data has been collected and sent to the site owner for analysis.

Please i don't need any more help about this possible attack, but what i need just a clear statement from boonex develloper to clearify why didnt take my forum post about this subjuct Seriouse ...

You guy's try it !

Eli

This is the result :

Total impact: 12
Affected tags: sqli, id, lfi

Variable: REQUEST.fbsetting_a707eb03c91f5dcaf6771d351177b05a | Value: {\&quot;connectState\&quot;:1,\&quot;oneLineStorySetting\&quot;:1,\&quot;shortStorySetting\&quot;:1,\&quot;inFacebook\&quot;:false}
Impact: 6 | Tags: sqli, id, lfi
Description: Detects classic SQL injection probings 2/2 | Tags: sqli, id, lfi | ID: 43

Variable: COOKIE.fbsetting_a707eb03c91f5dcaf6771d351177b05a | Value: {\&quot;connectState\&quot;:1,\&quot;oneLineStorySetting\&quot;:1,\&quot;shortStorySetting\&quot;:1,\&quot;inFacebook\&quot;:false}
Impact: 6 | Tags: sqli, id, lfi
Description: Detects classic SQL injection probings 2/2 | Tags: sqli, id, lfi | ID: 43
Centrifuge detection data  Threshold: 3.49  Ratio: 2.5

REMOTE_ADDR: xxxxxxxxxxx
HTTP_X_FORWARDED_FOR:
HTTP_CLIENT_IP:

I have just tried and it works fine.

I have also just tried this, step-by-step.

I can confirm that it works just fine.  This is with RC1 and NO change sets applied.

If it does work fine for you guy's then it doesn't for me and the same for Chris so we are 2=2 lol .

You see it does work fine in the front page right ! but if you want to move to the forum or any section say video for example there where the possible attack show up !

Eli

I don't see why admin pages are even subjected to the scrutiny of PHPIDS.  What's the point?  Admins should be able to post whatever they please.  If someone gains access to your admin pages, there are bigger problems to worry about than the posting of malicious code.

Can you guys at Boonex turn off PHPIDS for all admin pages?

because of the fixes now my google map doesnt show properly  , honnestly ! the rss is loading and loading and no google map showing ! got to sort it out ! lol