got another false positive.
Data retrieved with firebug:
POST:
xjxfun submitForm
xjxr 1217277395531
xjxargs[] <xjxobj><e><k>insert</k><v>insert</v></e><e><k>errorh</k><v>error</v></e><e><k>name</k><v>teste</v></e><e><k>nports</k><v>2222</v></e><e><k>mbox2</k><v>0-tcp</v></e><e><k>mbox11</k><v>5-udp</v></e><e><k>mbox84</k><v>55-udp</v></e><e><k>descr</k><v>aaa</v></e></xjxobj>
There are also a lot of them happening on different places of the
application. Could someone point me something out?
Thank you a lot!
--
xjxfun submitForm
xjxr 1217656999378
xjxargs[] <xjxobj><e><k>insert</k><v>insert</v></e><e><k>errorh</k><v>error</v></e><e><k>hostname</k><v>a</v></e><e><k>ip</k><v>10.12.12.12</v></e><e><k>asset</k><v>2</v></e><e><k>thresholdc</k><v>30</v></e><e><k>thresholda</k><v>30</v></e><e><k>rrd_profile</k><v></v></e><e><k>nat</k><v></v></e><e><k>nsens</k><v>1</v></e><e><k>mboxs1</k><v>ossim</v></e><e><k>os</k><v>Unknown</v></e><e><k>mac</k><v></v></e><e><k>macvendor</k><v></v></e><e><k>descr</k><v><![CDATA[&]]></v></e></xjxobj>
that is the data...
2008/7/30 Mario Heiderich <mario.h...@googlemail.com>:
--
xjxfun submitForm
xjxr 1217657223988
xjxargs[] <xjxobj><e><k>insert</k><v>insert</v></e><e><k>errorh</k><v>error</v></e><e><k>hostname</k><v>a</v></e><e><k>ip</k><v>10.12.12.12</v></e><e><k>asset</k><v>2</v></e><e><k>thresholdc</k><v>30</v></e><e><k>thresholda</k><v>30</v></e><e><k>rrd_profile</k><v></v></e><e><k>nat</k><v></v></e><e><k>nsens</k><v>1</v></e><e><k>mboxs1</k><v>ossim</v></e><e><k>os</k><v>Unknown</v></e><e><k>mac</k><v></v></e><e><k>macvendor</k><v></v></e><e><k>descr</k><v>a</v></e></xjxobj>
seems that the problem still being the CDATA!
2008/8/2 lvwr <3rd...@gmail.com>:
--
Would it work on version 5.1 with the newest Converter?
2008/8/3 Mario Heiderich <mario.h...@googlemail.com>:
--
Seems that a lot of mischievous things worked together to daze me!
I've found out that the files were including an older version of
php-ids on one older folder inside my include folder (while I tought
it was pointing absolutelly to some files).
The point is that I'm trying to integrate php-ids to ossim, and, for
this application, we would like to point for the files that are
outside the include folder absolutelly. I've been thinking, and it
could be easily fixed if the includes on the php-ids files were using
a pointing variable, maybe something like: include_once $path .
'file'. and this variable could be a parameter on the config file.
Did you guys ever think about doing it? If you think it could be
useful, I can give a hand. =]
Thank you!
2008/8/8 lvwr <3rd...@gmail.com>:
--
so only the prefix would be very nice!
2008/8/9 Mario Heiderich <mario.h...@googlemail.com>:
--
I'm getting false-positives on a new form (again...)
The input is:
<xjxobj><e><k>insert</k><v>insert</v></e><e><k>errorh</k><v>error</v></e><e><k>formid</k><v>formserver</v></e><e><k>name</k><v>a</v></e><e><k>ip</k><v>22.22.22.22</v></e><e><k>port</k><v>4001</v></e><e><k>correlate</k><v>1</v></e><e><k>cross_correlate</k><v>1</v></e><e><k>store</k><v>1</v></e><e><k>qualify</k><v>1</v></e><e><k>resend_alarms</k><v>1</v></e><e><k>resend_events</k><v>1</v></e><e><k>descr</k><v>a</v></e></xjxobj>
I've tried it within the php-ids demo, and it didn't return any
error... but when I've checked the field valid HTML allowed, it
returned an error with impact 4.
rule-description: finds html breaking injections including whitespace attacks
impact: 4
In my host, I'm getting the following error on the logs:
"10.211.55.2",2008-08-14T20:14:55-07:00,12,"xss csrf id
rfe","xjxargs.0=%3Cxjxobj%3E%3Ce%3E%3Ck%3Einsert%3C%2Fk%3E%3Cv%3Einsert%3C%2Fv%3E%3C%2Fe%3E%3Ce%3E%3Ck%3Eerrorh%3C%2Fk%3E%3Cv%3Eerror%3C%2Fv%3E%3C%2Fe%3E%3Ce%3E%3Ck%3Eformid%3C%2Fk%3E%3Cv%3Eformserver%3C%2Fv%3E%3C%2Fe%3E%3Ce%3E%3Ck%3Ename%3C%2Fk%3E%3Cv%3Eee%3C%2Fv%3E%3C%2Fe%3E%3Ce%3E%3Ck%3Eip%3C%2Fk%3E%3Cv%3E20.2.2.2%3C%2Fv%3E%3C%2Fe%3E%3Ce%3E%3Ck%3Eport%3C%2Fk%3E%3Cv%3E4001%3C%2Fv%3E%3C%2Fe%3E%3Ce%3E%3Ck%3Ecorrelate%3C%2Fk%3E%3Cv%3E1%3C%2Fv%3E%3C%2Fe%3E%3Ce%3E%3Ck%3Ecross_correlate%3C%2Fk%3E%3Cv%3E1%3C%2Fv%3E%3C%2Fe%3E%3Ce%3E%3Ck%3Estore%3C%2Fk%3E%3Cv%3E1%3C%2Fv%3E%3C%2Fe%3E%3Ce%3E%3Ck%3Equalify%3C%2Fk%3E%3Cv%3E1%3C%2Fv%3E%3C%2Fe%3E%3Ce%3E%3Ck%3Eresend_alarms%3C%2Fk%3E%3Cv%3E1%3C%2Fv%3E%3C%2Fe%3E%3Ce%3E%3Ck%3Eresend_events%3C%2Fk%3E%3Cv%3E1%3C%2Fv%3E%3C%2Fe%3E%3Ce%3E%3Ck%3Edescr%3C%2Fk%3E%3Cv%3E%3C%21%5BCDATA%5Baa%20aa%5D%5D%3E%3C%2Fv%3E%3C%2Fe%3E%3C%2Fxjxobj%3E","%2Fgsoc%2Fserver%2Fnewserverform.php"
Are both errors related? Is the false positive related to html validation?
Thank you!
2008/8/11 Mario Heiderich <mario.h...@googlemail.com>:
--
but where could I disable the valid HTML checkings on my php-ids?
2008/8/15 Mario Heiderich <mario.h...@googlemail.com>:
--