Not signed in (Sign In)
-
Subscribe
-
-
- CommentAuthorayok
- CommentTimeJun 27th 2010
Hi,
I used PHPIDS for my form with textarea where people can send messages. However, I can't post some characters like comma (,) or colon (:). How can i escape this? This is the error report
affected parameters: REQUEST.letter=etatec%2C%0D%0A%0D%0Atets%0D%0A%0D%0Atest, POST.letter=etatec%2C%0D%0A%0D%0Atets%0D%0A%0D%0Atest,
request URI: %2F8_2_vacatures_.htm
origin: 83.96.154.21
Please help. Thank you. -
-
CommentAuthor.mario
- CommentTimeJun 28th 2010
Hi Ayok,
hm - it doesn't report anything for me:
http://demo.php-ids.org/?test=etatec%2C%0D%0A%0D%0Atets%0D%0A%0D%0Atest
What's the impact - which rule is causing the problem?
.mario -
-
- CommentAuthorayok
- CommentTimeJun 28th 2010
Hi Mario,
yes, I've tested also there. I have no idea what's wrong.
effect: 14
Affected tags: xss csrf id rfe lfi
Thanks,
ayok -
-
CommentAuthor.mario
- CommentTimeJun 29th 2010
What does the string look like exactly before it hits the converter/rules? -
-
- CommentAuthorayok
- CommentTimeJun 29th 2010 edited
This is another example:
Affected parameters: REQUEST.subject=No diploma, but looking for a university job? Traineeship Jr Payroll Consultant: Work and learn!, POST.subject=No diploma, but looking for a university job? Traineeship Jr Payroll Consultant: Work and learn!,
It doesn't escape comma and colon.:( -
- CommentAuthorayok
- CommentTimeJun 30th 2010 edited
In the config.ini I have changed this settings.
html[] = POST.theBody
html[] = REQUEST.theBody
theBody is not the text field that give the error.
And then I create a phpids.php like this:
if (!$result->isEmpty()) {
/*
* The following steps are optional to log the results
*/
require_once 'IDS/Log/File.php';
require_once 'IDS/Log/Composite.php';
require_once 'IDS/Log/Email.php';
$compositeLog = new IDS_Log_Composite();
$compositeLog->addLogger(
IDS_Log_Email::getInstance($init),
IDS_Log_File::getInstance($init)
);
/*
* Note that you might also use different logging facilities
* such as IDS_Log_Email or IDS_Log_Database
*
* Just uncomment the following lines to test the wrappers
*/
/*
*
require_once 'IDS/Log/Database.php';
$compositeLog->addLogger(
IDS_Log_Database::getInstance($init)
);
*/
//echo $result;
echo "<p'>Hacked attempt</p>";
$compositeLog->execute($result);
exit;
}
} catch (Exception $e) {
/*
* sth went terribly wrong - maybe the
* filter rules weren't found?
*/
printf(
'An error occured: %s',
$e->getMessage()
);
}
are there something wrong in the codes? -
- CommentAuthorayok
- CommentTimeJul 1st 2010 edited
This is complete result:
Total impact: 24
Affected tags: xss, csrf, id, rfe, lfi
Variable: REQUEST.subject | Value: No diploma, but looking for a university job? Traineeship Jr Payroll Consultant: Work and learn!
Impact: 12 | Tags: xss, csrf, id, rfe, lfi
Description: Detects JavaScript with(), ternary operators and XML predicate attacks | Tags: xss, csrf | ID: 7
Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID: 67
Variable: POST.subject | Value: No diploma, but looking for a university job? Traineeship Jr Payroll Consultant: Work and learn!
Impact: 12 | Tags: xss, csrf, id, rfe, lfi
Description: Detects JavaScript with(), ternary operators and XML predicate attacks | Tags: xss, csrf | ID: 7
Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID: 67
Centrifuge detection data
Threshold: 3.49
Ratio: 1.2777777777778 -
- CommentAuthorayok
- CommentTimeJul 1st 2010
Does it mean these rules?
<rule><![CDATA[(?:\d\s*[|&]{2}\s*\w)|(?:[=(].+\?.+:)|(?:with\([^)]*\)\))|(?:\.\s*source\W)|(?:\?[^:=]+:[^;]+(;|$))]]></rule>
and
<![CDATA[(?:\({2,}\+{2,}:{2,})|(?:\({2,}\+{2,}:+)|(?:\({3,}\++:{2,})|(?:\$\[!!!\])]]>
?
I don't understand what that means. -
-
CommentAuthor.mario
- CommentTimeJul 2nd 2010
The last one was a false alert - and is fixed. Thanks for reporting! -
-
- CommentAuthorayok
- CommentTimeJul 3rd 2010
That's good to hear. But how can I fix it?