Activity processor fails on Registration Confirmation emails (potential attack)

[lsmithgo]

I have slightly modified the Registration Confirmation (online) mail template to include a small HTML <table> and a <img> tag pointing at a graphic on my webserver.

The Registration Confirmation emails are also configured to bcc to an email address which is then picked for inbound email processing and loaded into CiviCRM as Activities by the Activity Processor scheduled job.

All been fine for a few years until I upgraded from 4.1 to 4.3.5 this weekend...

Now the Registration Confirmation emails do not get imported when the cron job runs with this message:

Failed Processing: Registration Confirmation - <Event name snipped>
Reason: Illegal characters in input (potential scripting attack)

Any advice on how to avoid this?

[Dave Greenberg]

This message comes from the IDS library (Intrusion Detection). If you haven't already done this, the first thing I'd try is to delete the cached version of the settings file for IDS: <drupal-root>/sites/default/files/civicrm/ConfigAndLog/Config.IDS.ini (it will get rebuilt). If that's not working then you can either:

*  disable IDS by uncommenting or adding this line to your civicrm.settings.php file: define( 'CIVICRM_IDS_ENABLE', 1);
(NOTE that this may open your site to scripting attacks)

* add the field that's kicking the warning to the exceptions array in CRM/Core/IDS.php createConfigFile()

[lsmithgo]

Thanks.  I'm using Joomla so the .ini file was here:
<root>/media/civicrm/ConfigAndLog

Deleting that didn't cure the problem.

What can be added as a "field" in the exceptions array?  How can I find out what is causing the exception?

[Dave Greenberg]

Try doing a view source on 'edit message template', and check the name / id of the form field that you've put the table in.

[lsmithgo]

Thanks.  I'm struggling with what you mean by "name / id of the form field".

I put an addition <TABLE> with style and a <img> reference after this:

<!-- BEGIN HEADER -->
  <!-- You can add table row(s) here with logo or other header elements -->
 <table width="500" border="0" cellpadding="0" cellspacing="0" id="crm-event_receipt" style="font-family: Arial, Verdana, sans-serif; text-align: left;">

[Dave Greenberg]

Ditch that, the field which contains the HTML for a message template is 'msg_html' and it's already in the exceptions list. Maybe back up a bit and explain the process that's generating the error. Registration confirmations are generally sent when a user registers or is registered. But you referenced a cron job. What cron job are you running?

Beyond that I would confirm that things run ok w/o the added HTML snippet and then start  adding stuff back in, and check that the HTML is properly formed (i.e. no extra quotes, end tags where they should be etc.).


Also try disabling IDS checking temporarily to confirm that as a workaround and confirm what's happening. AND you can try increasing the warn and kick levels (near top of IDS.php file). This isn't a great permanent solution because I'm not sure you can have a custom copy of this php file - and if not you'd have to change it again for each upgrade.

[lsmithgo]

Yes, the registration confirmations are generated when a user registers.  They are also bcc'd to an email address which is picked up by the Activity Processor (running as a scheduled job by cron) which loads the emails back into CiviCRM.

Now you could argue that this is unnecessary....   but there's something in the HTML I've added which is causing IDS to barf.

I will try the steps below and revert.