Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
PHPIDS 0.2 released!
Posted by: Anonymous User
Date: June 10, 2007 01:25PM

Hi!

After months of stuffing our leisure with coding, discussing, testing, some imagery crafting and coordinating we are proud to announce the first official release of the PHPIDS - a project born in the holy halls of sla.ckers.org.

You might know what it's all about when you followed this thread:

http://sla.ckers.org/forum/read.php?12,8085

If not - here's the short version: The PHPIDS is an additional webapp security layer for any PHP application. Easy to install, maintain and based on a heavily tested filter set. It purpose is the recognition of XSS, SQLI, RFE, LFI and directory traversal attacks.

We built up a website including forum, TRAC, demo, docs etc. - maybe you'd like to make a visit ;)

http://php-ids.org
http://demo.php-ids.org (ye olde smoketest)
http://forum.php-ids.org
https://trac.php-ids.org (some warnings will pop up...)

Also I'd like to announce the .NETIDS - a subproject created by Martin which uses the same filter rules.

http://code.google.com/p/dotnetids/

Special thanks for helping go to those guys:

http://php-ids.org/contact#credits (hope i didn't forget anyone)

Feedback is appreciated as always!

Greetings,
.mario & christ1an



Edited 1 time(s). Last edit at 06/10/2007 01:33PM by .mario.

Options: ReplyQuote
Re: PHPIDS 0.2 released!
Posted by: christ1an
Date: June 10, 2007 01:40PM

(Perhaps this should be moved to the News forum)

Regards,
- http://christ1an.blogspot.com

_______________________
[[url=http://php-ids.org]php-ids.org[/url]] Web Application Security 2.0

Options: ReplyQuote
Re: PHPIDS 0.2 released!
Date: June 10, 2007 02:46PM

Were false positives worked out after doing live test? I read something about testing it on site which gets 30,000 views (correct me if I recall wrong), wondering what issues arose and if they were serious enough to fix and if not what were they.

Options: ReplyQuote
Re: PHPIDS 0.2 released!
Posted by: Anonymous User
Date: June 10, 2007 03:18PM

Jep - most of them are worked out and the ones who still occur can be handles via sensitive raise of the impact threshold. But if you find some don't hesitate to post them ;)

Options: ReplyQuote
Re: PHPIDS 0.2 released!
Posted by: id
Date: June 10, 2007 09:24PM

Great to see, Col John "Hannibal" Smith would be proud.

-id

Options: ReplyQuote
Re: PHPIDS 0.2 released!
Posted by: thrill
Date: June 11, 2007 01:51PM

did someone kill the site?

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: PHPIDS 0.2 released!
Posted by: Henaro
Date: June 11, 2007 01:52PM

I'm interested in this. But it seems your word press is screwy. :-(

Options: ReplyQuote
Re: PHPIDS 0.2 released!
Posted by: Anonymous User
Date: June 11, 2007 04:01PM

Yes - and I hate it.

We're probably facing total db data loss - 24 hrs after the release. Great.

But shit happens and we're tearing this thing up again. I'll drop a note when we're back on!

Sorry and thx for the patience,
.mario

Options: ReplyQuote
Re: PHPIDS 0.2 released!
Date: June 11, 2007 04:24PM

Are the regexs ready to be optimized so the package works faster? Or will you guys be waiting on doing that for time being until project becomes more mature. Just wondering since checked the regexes out and saw many can be heavily optimized to match faster.

Options: ReplyQuote
Re: PHPIDS 0.2 released!
Posted by: Anonymous User
Date: June 11, 2007 04:52PM

Hi CrYpTiC_MauleR,

Yep - meanwhile we'd really wish to have someone on board who has more experience in regex like us. The regexes work fine but they really aren't the fastest. So - any input is welcome!

Greetings,
.mario

Options: ReplyQuote
Re: PHPIDS 0.2 released!
Date: June 11, 2007 05:21PM

http://phpids.heideri.ch/?test=;http://www.example.com/example.php
Says its a comment attack. Should be RFI or a redirection attempt. Pretty tricky to allow it since URLs are what make up a lot of content =o|

http://phpids.heideri.ch/?test=;phpinfo();
Should it not detect that?

Options: ReplyQuote
Re: PHPIDS 0.2 released!
Posted by: Anonymous User
Date: June 12, 2007 01:39AM

Hi!

Thx - but this test is using pretty old rules. I will let you guys know when everything is back online again...

Greetings,
.mario

Options: ReplyQuote
Re: PHPIDS 0.2 released!
Date: June 13, 2007 06:31AM

//aaa
detected as common comment type

//.aaa //=aaa
not detected

/home/users/joe not detected

Options: ReplyQuote
Re: PHPIDS 0.2 released!
Posted by: Anonymous User
Date: June 13, 2007 07:47AM

http://demo.php-ids.org/?test=//.aaa%20//+aaa
http://demo.php-ids.org/?test=/home/joe

Thanks! Fixed in the smoketest and SVN - will find its way into the 0.3 release

Options: ReplyQuote
Re: PHPIDS 0.2 released!
Date: June 13, 2007 12:42PM

// <--spaces
gets through.

Options: ReplyQuote
Re: PHPIDS 0.2 released!
Posted by: Anonymous User
Date: June 13, 2007 12:51PM

Ehh what do you mean CrYpTiC_MauleR ?

Options: ReplyQuote
Re: PHPIDS 0.2 released!
Date: June 13, 2007 12:53PM

Well if you put a comment
// but with 1 or more spaces after it, IDS will not detect it.

"// " is still a valid comment.

Options: ReplyQuote
Re: PHPIDS 0.2 released!
Posted by: Anonymous User
Date: June 13, 2007 12:57PM

Yeah but really... this could be in postdata as normal behaviour. Isn't this a little overdue? maybe in combination with quotes it could be a threat, but I cannot see it's danger so far.

Options: ReplyQuote
Re: PHPIDS 0.2 released!
Date: June 13, 2007 01:00PM

I suppose it can be detected when impact threshold is set to maximum but yeah many false positives otherwise.

Options: ReplyQuote
Re: PHPIDS 0.2 released!
Posted by: Anonymous User
Date: June 13, 2007 01:03PM

I umderstand that there plenty of vectors around, and it also raise my faith into whitelisting some more. Like catching anything that isn't [a-z]|[0-9] I worked a couple of time with it and it works pretty well. it also meant that every special chars is detected. It is a tough thing.

Options: ReplyQuote
Re: PHPIDS 0.2 released!
Posted by: Anonymous User
Date: June 13, 2007 01:55PM

I agree with Ronald - it's not really possible to inject something destructive with that vector. but i think i will expand the rule or create a new rule. it's a nice impact-raiser. i guess it will be included in 0.3

Thx!
.mario

Options: ReplyQuote
Re: PHPIDS 0.2 released!
Posted by: Anonymous User
Date: June 13, 2007 02:27PM

btw - I modified the filter rule to detect not only <?php phpinfo() but also ;phpinfo()

Options: ReplyQuote
Re: PHPIDS 0.2 released!
Posted by: Anonymous User
Date: June 24, 2007 09:45AM

Hi!

Release 0.2.3 is close - guess we'll upload the files around Wednesday...

http://php-ids.org/2007/06/24/phpids-023-is-close/

Greetings,
.mario

Options: ReplyQuote
Re: PHPIDS 0.2 released!
Posted by: krazl
Date: August 21, 2007 09:13PM

buffer overflow?

asdfasdf million times show nothing..

Options: ReplyQuote
Re: PHPIDS 0.2 released!
Posted by: Anonymous User
Date: August 22, 2007 08:34AM

The discussed that issue some time ago and concluded that other layers have to deal with BO, DOS and other issues which may compromise the applications availability.

Options: ReplyQuote
Re: PHPIDS 0.2 released!
Posted by: Anonymous User
Date: August 22, 2007 08:51AM

Yes indeed, it's the programmers responsibility to check the data size a PHP structure is getting. It's one of the most forgotten issues, almost no one truncates data before sending it through htmlspecialchars() while we know it is prone to buffer overflows.

I think we could size down the full query string, and alerting only on insane long data sets. But, this is tricky cause it enables an attack also to spam one with false positives and bury and real attack.

Food for thought.

Options: ReplyQuote
Re: PHPIDS 0.2 released!
Posted by: Anonymous User
Date: August 22, 2007 09:09AM

Quote

we could size down the full query string

As you mention later - extremely dangerous. Imagine truncations after 5000 chars and with character 5001 an attack begins.

But - this kind of security magic has to be chanted by the server admins via apache conf or php.ini (max_post_length etc.) and not by the developers.

Options: ReplyQuote
Re: PHPIDS 0.2 released!
Posted by: Anonymous User
Date: August 22, 2007 12:10PM

Well, it depends

It's not passing a function unsanitzed, so it doesn't matter. In SQL server this is a differet thing since the server it self is the culprit. It's okay to truncate but before you sanitize/escape it.

Options: ReplyQuote


Sorry, only registered users may post in this forum.