More false-positives

[lvwr]

Hello guys,

got another false positive.

Data retrieved with firebug:

POST:
xjxfun submitForm
xjxr 1217277395531
xjxargs[] <xjxobj><e><k>insert</k><v>insert</v></e><e><k>errorh</k><v>error</v></e><e><k>name</k><v>teste</v></e><e><k>nports</k><v>2222</v></e><e><k>mbox2</k><v>0-tcp</v></e><e><k>mbox11</k><v>5-udp</v></e><e><k>mbox84</k><v>55-udp</v></e><e><k>descr</k><v>aaa</v></e></xjxobj>

There are also a lot of them happening on different places of the
application. Could someone point me something out?

Thank you a lot!

--

lvwr
blog.livewire.com.br

[Mario Heiderich]

Hi,

hard nut to crack but fixed in the trunk.

Greetings,
.mario

--
_______________________
php-ids.org

.ﻩﻨﺮﻪﺴ

[lvwr]

Still getting the false-positives...

xjxfun submitForm
xjxr 1217656999378
xjxargs[] <xjxobj><e><k>insert</k><v>insert</v></e><e><k>errorh</k><v>error</v></e><e><k>hostname</k><v>a</v></e><e><k>ip</k><v>10.12.12.12</v></e><e><k>asset</k><v>2</v></e><e><k>thresholdc</k><v>30</v></e><e><k>thresholda</k><v>30</v></e><e><k>rrd_profile</k><v></v></e><e><k>nat</k><v></v></e><e><k>nsens</k><v>1</v></e><e><k>mboxs1</k><v>ossim</v></e><e><k>os</k><v>Unknown</v></e><e><k>mac</k><v></v></e><e><k>macvendor</k><v></v></e><e><k>descr</k><v><![CDATA[&]]></v></e></xjxobj>

that is the data...

2008/7/30 Mario Heiderich <mario.h...@googlemail.com>:

--

lvwr
blog.livewire.com.br

[lvwr]

But if worked for:

xjxfun submitForm
xjxr 1217657223988
xjxargs[] <xjxobj><e><k>insert</k><v>insert</v></e><e><k>errorh</k><v>error</v></e><e><k>hostname</k><v>a</v></e><e><k>ip</k><v>10.12.12.12</v></e><e><k>asset</k><v>2</v></e><e><k>thresholdc</k><v>30</v></e><e><k>thresholda</k><v>30</v></e><e><k>rrd_profile</k><v></v></e><e><k>nat</k><v></v></e><e><k>nsens</k><v>1</v></e><e><k>mboxs1</k><v>ossim</v></e><e><k>os</k><v>Unknown</v></e><e><k>mac</k><v></v></e><e><k>macvendor</k><v></v></e><e><k>descr</k><v>a</v></e></xjxobj>

seems that the problem still being the CDATA!

2008/8/2 lvwr <3rd...@gmail.com>:

--

lvwr
blog.livewire.com.br

[Mario Heiderich]

Hmmmm - works fine for me:

http://tinyurl.com/5mmhtr

OR

http://demo.php-ids.org/?test=%3Cxjxobj%3E%3Ce%3E%3Ck%3Einsert%3C/k%3E%3Cv%3Einsert%3C/v%3E%3C/e%3E%3Ce%3E%3Ck%3Eerrorh%3C/k%3E%3Cv%3Eerror%3C/v%3E%3C/e%3E%3Ce%3E%3Ck%3Ehostname%3C/k%3E%3Cv%3Ea%3C/v%3E%3C/e%3E%3Ce%3E%3Ck%3Eip%3C/k%3E%3Cv%3E10.12.12.12%3C/v%3E%3C/e%3E%3Ce%3E%3Ck%3Easset%3C/k%3E%3Cv%3E2%3C/v%3E%3C/e%3E%3Ce%3E%3Ck%3Ethresholdc%3C/k%3E%3Cv%3E30%3C/v%3E%3C/e%3E%3Ce%3E%3Ck%3Ethresholda%3C/k%3E%3Cv%3E30%3C/v%3E%3C/e%3E%3Ce%3E%3Ck%3Errd_profile%3C/k%3E%3Cv%3E%3C/v%3E%3C/e%3E%3Ce%3E%3Ck%3Enat%3C/k%3E%3Cv%3E%3C/v%3E%3C/e%3E%3Ce%3E%3Ck%3Ensens%3C/k%3E%3Cv%3E1%3C/v%3E%3C/e%3E%3Ce%3E%3Ck%3Emboxs1%3C/k%3E%3Cv%3Eossim%3C/v%3E%3C/e%3E%3Ce%3E%3Ck%3Eos%3C/k%3E%3Cv%3EUnknown%3C/v%3E%3C/e%3E%3Ce%3E%3Ck%3Emac%3C/k%3E%3Cv%3E%3C/v%3E%3C/e%3E%3Ce%3E%3Ck%3Emacvendor%3C/k%3E%3Cv%3E%3C/v%3E%3C/e%3E%3Ce%3E%3Ck%3Edescr%3C/k%3E%3Cv%3E%3C![CDATA[%26;]]%3E%3C/v%3E%3C/e%3E%3C/xjxobj%3E

Greetings,
.mario

--
_______________________
php-ids.org

.ﻩﻨﺮﻪﺴ

[lvwr]

For solving this problem, only updating the Converter.php file is enough?

Would it work on version 5.1 with the newest Converter?

2008/8/3 Mario Heiderich <mario.h...@googlemail.com>:

--

lvwr
blog.livewire.com.br

[lvwr]

Wow,

Seems that a lot of mischievous things worked together to daze me!
I've found out that the files were including an older version of
php-ids on one older folder inside my include folder (while I tought
it was pointing absolutelly to some files).

The point is that I'm trying to integrate php-ids to ossim, and, for
this application, we would like to point for the files that are
outside the include folder absolutelly. I've been thinking, and it
could be easily fixed if the includes on the php-ids files were using
a pointing variable, maybe something like: include_once $path .
'file'. and this variable could be a parameter on the config file.

Did you guys ever think about doing it? If you think it could be
useful, I can give a hand. =]

Thank you!

2008/8/8 lvwr <3rd...@gmail.com>:

--

lvwr
blog.livewire.com.br

[Mario Heiderich]

Hi,

doesn't sound too bad in my opinion. You just need a prefix or the whole path to be configurable?

Greetings,
.mario

--
_______________________
php-ids.org

.ﻩﻨﺮﻪﺴ

[lvwr]

Well, if we have the hability to setup the prefix, we can point to any
place, so we can create our own /usr/share/php-ids/IDS folder and
point to it easily...

so only the prefix would be very nice!

2008/8/9 Mario Heiderich <mario.h...@googlemail.com>:

--

lvwr
blog.livewire.com.br

[Mario Heiderich]

Will be done somewhen this week - as mentioned in the forums.

Greetings,
.mario

--
_______________________
php-ids.org

.ﻩﻨﺮﻪﺴ

[lvwr]

Hello guys,

I'm getting false-positives on a new form (again...)

The input is:

<xjxobj><e><k>insert</k><v>insert</v></e><e><k>errorh</k><v>error</v></e><e><k>formid</k><v>formserver</v></e><e><k>name</k><v>a</v></e><e><k>ip</k><v>22.22.22.22</v></e><e><k>port</k><v>4001</v></e><e><k>correlate</k><v>1</v></e><e><k>cross_correlate</k><v>1</v></e><e><k>store</k><v>1</v></e><e><k>qualify</k><v>1</v></e><e><k>resend_alarms</k><v>1</v></e><e><k>resend_events</k><v>1</v></e><e><k>descr</k><v>a</v></e></xjxobj>

I've tried it within the php-ids demo, and it didn't return any
error... but when I've checked the field valid HTML allowed, it
returned an error with impact 4.

rule-description: finds html breaking injections including whitespace attacks
impact: 4

In my host, I'm getting the following error on the logs:

"10.211.55.2",2008-08-14T20:14:55-07:00,12,"xss csrf id
rfe","xjxargs.0=%3Cxjxobj%3E%3Ce%3E%3Ck%3Einsert%3C%2Fk%3E%3Cv%3Einsert%3C%2Fv%3E%3C%2Fe%3E%3Ce%3E%3Ck%3Eerrorh%3C%2Fk%3E%3Cv%3Eerror%3C%2Fv%3E%3C%2Fe%3E%3Ce%3E%3Ck%3Eformid%3C%2Fk%3E%3Cv%3Eformserver%3C%2Fv%3E%3C%2Fe%3E%3Ce%3E%3Ck%3Ename%3C%2Fk%3E%3Cv%3Eee%3C%2Fv%3E%3C%2Fe%3E%3Ce%3E%3Ck%3Eip%3C%2Fk%3E%3Cv%3E20.2.2.2%3C%2Fv%3E%3C%2Fe%3E%3Ce%3E%3Ck%3Eport%3C%2Fk%3E%3Cv%3E4001%3C%2Fv%3E%3C%2Fe%3E%3Ce%3E%3Ck%3Ecorrelate%3C%2Fk%3E%3Cv%3E1%3C%2Fv%3E%3C%2Fe%3E%3Ce%3E%3Ck%3Ecross_correlate%3C%2Fk%3E%3Cv%3E1%3C%2Fv%3E%3C%2Fe%3E%3Ce%3E%3Ck%3Estore%3C%2Fk%3E%3Cv%3E1%3C%2Fv%3E%3C%2Fe%3E%3Ce%3E%3Ck%3Equalify%3C%2Fk%3E%3Cv%3E1%3C%2Fv%3E%3C%2Fe%3E%3Ce%3E%3Ck%3Eresend_alarms%3C%2Fk%3E%3Cv%3E1%3C%2Fv%3E%3C%2Fe%3E%3Ce%3E%3Ck%3Eresend_events%3C%2Fk%3E%3Cv%3E1%3C%2Fv%3E%3C%2Fe%3E%3Ce%3E%3Ck%3Edescr%3C%2Fk%3E%3Cv%3E%3C%21%5BCDATA%5Baa%20aa%5D%5D%3E%3C%2Fv%3E%3C%2Fe%3E%3C%2Fxjxobj%3E","%2Fgsoc%2Fserver%2Fnewserverform.php"

Are both errors related? Is the false positive related to html validation?

Thank you!

2008/8/11 Mario Heiderich <mario.h...@googlemail.com>:

--

lvwr
blog.livewire.com.br

[Mario Heiderich]

Hi,

yep - since the string doesn't contain valid HTML it doesn't make sense to use it in combination with the html-option. So - is it really a false alert?

Greetings,
.mario

--
_______________________
php-ids.org

.ﻩﻨﺮﻪﺴ

[lvwr]

Yes, probably not a false alert...

but where could I disable the valid HTML checkings on my php-ids?

2008/8/15 Mario Heiderich <mario.h...@googlemail.com>:

--

lvwr
blog.livewire.com.br

[Mario Heiderich]

It's disabled by default - but you can switch it on for certain fields. You can do this in the Config.ini by just assigning field names to the html directive.

https://trac.php-ids.org/index.fcgi/browser/trunk/lib/IDS/Config/Config.ini#L20

Greetings,
.mario

--
_______________________
php-ids.org

.ﻩﻨﺮﻪﺴ