Yesterday and today I had a couple of messages looking like this:

There was an attempt to upload a PHP malware script.
Debug information:
20080621202531.jpg

When I click on the blue info button it doesn't take me to a page with additional information as described on this page.

Before I am going to disable the users account and block his IP I want to make sure that the user knows that he is trying on purpose to upload malware script through uploading images. Maybe he doesn't know that his images contain a malware script?

I'm getting the same warnings quite often when a user (or even myself) uploads an image. With my own images I know for certain that they don't contain php-code. So it seems RSFirwall seems to detect more than just php in an image, and incorrectly marks it as malware. (Possibly exif data?) This is quite frustrating for the user of my site, since they get just an error they don't understand.

I've turned off the detection of php (bad idea, I know) and excluded JCE editor and EventList for scanning (bad idea too). Still I get incorrect allerts. Is there a flaw in RS Firewall?

I have just had to clean a site that was sending tens of thousands of spam messages per day from one account. I found a similar message in the RSFirewall log that there was an attempt to upload PHP malware using JCE. There are no users on the site other than myself & I hadn't logged on for weeks so I know that it wasn't me using JCE. I am assuming that this is a known vulnerability with older versions of JCE because once I upgraded to the latest 2.3.1 version the spam stopped.