PHP IDS and Xajax

[sascha...@googlemail.com]

I have a problem with PHP IDS and Xajax.

First of all the message which is generated by PHP IDS.
Total impact: 13
Affected tags: xss, csrf, id

Variable: POST.xjxargs.0 | Value:
<xjxobj><e><k>topic</k><v>allgemein</
v></e><e><k>questart</
k><v>checkbox</v></
e><e><k>anzantw</k><v>5</v></
e><e><k>questtxt</k><v><![CDATA[Frage
Test]]></v></e></xjxobj>
Impact: 13 | Tags: xss, csrf, id
Description: Detects self-executing JavaScript functions | Tags: xss,
csrf | ID: 8
Description: Detects common comment types | Tags: xss, csrf, id | ID:
35
Description: Detects base href injections and XML entity injections |
Tags: xss, csrf, id | ID: 37

This problem occures when i insert a text into an input field with
white spaces (without the white spaces everything works).

I've tried to set the xjxargs into the exceptions in the config (is a
PHP array) but this doesn't work. I think this is the same problem
like this one http://forum.php-ids.org/comments.php?DiscussionID=133&page=1#Item_0
had.

Here the config array:
$cfg['IDS_config'] = array(
'General' =>
array (
'filter_type' => 'xml',
'filter_path' => 'IDS/default_filter.xml',
'tmp_path' => 'IDS/tmp',
'scan_keys' => false,
'HTML_Purifier_Path' => 'IDS/vendors/htmlpurifier/
HTMLPurifier.auto.php',
'HTML_Purifier_Cache' => 'IDS/vendors/htmlpurifier/HTMLPurifier/
DefinitionCache/Serializer',
'html' =>
array (
0 => '__wysiwyg',
1 => 'xjxargs'
),
'exceptions' =>
array (
0 => '__utmz',
1 => '__utmc',
2 => 'xjxargs'
),
'min_php_version' => '5.1.6'
),
'Logging' =>
array (
'path' => 'IDS/tmp/phpids_log.txt',
'recipients' =>
array (
0 => 'te...@test.com.invalid',
),
'subject' => 'PHPIDS detected an intrusion attempt!',
'header' => 'From: <PHPIDS> in...@php-ids.org',
'safemode' => true,
'allowed_rate' => '15',
'wrapper' => 'mysql:host=' . $cfg['sqlhost'] .
';port=3306;dbname=' . $cfg['sqldb'],
'user' => $cfg['sqlusr'],
'password' => $cfg['sqlpasswd'],
'table' => 'intrusions',
),
'Caching' =>
array (
'caching' => 'database',
'expiration_time' => '600',
'path' => 'IDS/tmp/default_filter.cache',
'wrapper' => 'mysql:host=' . $cfg['sqlhost'] .
';port=3306;dbname=' . $cfg['sqldb'],
'user' => $cfg['sqlusr'],
'password' => $cfg['sqlpasswd'],
'table' => 'cache',
)
);

And this is the data which is send by xajax:
POST: xjxfun=add_quest
&xjxr=1216369769779
&xjxargs[]=
<xjxobj>
<e><k>topic</k><v>allgemein</v></e>
<e><k>questart</k><v>checkbox</v></e>
<e><k>anzantw</k><v>5</v></e>
<e><k>questtxt</k><v><![CDATA[Frage Test]]></v></e>
</xjxobj>

I hope you find the problem and sorry for my English.

[Mario Heiderich]

Hi!

Please try to use the exceptions as such:

Config.ini:
POST.xjxargs.0

via PHP:
'exceptions'    => array(
    'POST' =>
        array (
            0               => 'xjxargs'
    )
);

Since you nested the parameters for the arrays to check you need to give the PHPIDS the full 'path' to the array item to explude from scanning.

Greetings,
.mario

--
_______________________
php-ids.org

.ﻩﻨﺮﻪﺴ

[sascha...@googlemail.com]

Hello,

i have changed the config array in that way but it doesn't work.

Greetings,
Sascha

On 18 Jul., 18:09, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:

> Hi!
>
> Please try to use the exceptions as such:
>
> Config.ini:
> POST.xjxargs.0
>
> via PHP:
> 'exceptions'    => array(
>     'POST' =>
>         array (
>             0               => 'xjxargs'
>     )
> );
>
> Since you nested the parameters for the arrays to check you need to give the
> PHPIDS the full 'path' to the array item to explude from scanning.
>
> Greetings,
> .mario
>

> On Fri, Jul 18, 2008 at 10:40 AM, sascha.wa...@googlemail.com <

> > 't...@test.com.invalid',

> >                                ),
> >                                'subject'               => 'PHPIDS detected
> > an intrusion attempt!',
> >                                'header'                => 'From: <PHPIDS>

> > i...@php-ids.org',

[Mario Heiderich]

Hmmm - I need some more information: How did you pass the Arrays to ceck to the PHPIDS? How are they nested?

--
_______________________
php-ids.org

.ﻩﻨﺮﻪﺴ

[sascha...@googlemail.com]

The array which is send by xajax looks like that

Array
(
[xjxfun] => add_quest
[xjxr] => 1216628377620
[xjxargs] => Array
(
[0] =>

<xjxobj>
<e><k>topic</k><v>allgemein</v></e>

</xjxobj>

)

)

All data is send as an post request.

I have build an own class to react on specific impacts.

<?
set_include_path(
get_include_path()
. PATH_SEPARATOR
. 'IDS'
);

require_once 'IDS/Init.php';
require_once 'IDS/Log/Composite.php';
require_once 'IDS/Log/Database.php';
if(PHP_INC != 1)
require_once 'sys/config.inc.php';

class idps {
// Public Vars
public $request = null;
public $threshold = null;
public $ids_config = null;
public $msg = "";
public $ids_mon = null;
public $compositeLog = null;
public $init = null;
public $result = null;

// Private Vars
private static $instances = array();

private function __construct($config_path, $ids_config, $threshold,
$request) {
$this->init = IDS_Init::init($config_path);
$this->set_request($request);
$this->set_threshold($threshold);
$this->set_ids_config($ids_config);
$this->init->setConfig($this->ids_config, true);
$this->ids_mon = new IDS_Monitor($this->request, $this->init);
$this->compositeLog = new IDS_Log_Composite();
$this->compositeLog->addLogger(
IDS_Log_Database::getInstance($this->init)
);
$this->result = $this->ids_mon->run();
return $this;
}

private function react($impact, $threshold, $result, $compositeLog,
$init) {
// auf die Folgenden Angriffe reagieren und alles mit loggen
if ($impact >= $threshold['kick']) {
$this->msg = "<b>Meldung:</b> Achtung es wurde ein Hackingversuch
festgestellt, die IP-Adresse wurde mit gelogt!<br>";
$this->ids_log($result, $compositeLog);
return true;
} else if ($impact >= $threshold['warn']) {
$this->msg = "<b>Meldung:</b> Achtung es wurde ein Hackingversuch
festgestellt, die IP-Adresse wurde mit gelogt!<br>";
$this->ids_log($result, $compositeLog);
return true;
} else if ($impact >= $threshold['mail']) {
$this->msg = "<b>Meldung:</b> Achtung es wurde ein Hackingversuch
festgestellt, die IP-Adresse wurde mit gelogt!<br>";
$this->ids_log($result, $compositeLog);
return true;
} else if ($impact >= $threshold['log']) {
$this->msg = "<b>Meldung:</b> Achtung es wurde ein Hackingversuch
festgestellt, die IP-Adresse wurde mit gelogt!<br>";
$this->ids_log($result, $compositeLog);
return true;
} else {
return true;
}
}

private function ids_log($result, $compositeLog) {
// Result in die Datenbank eintragen
$compositeLog->execute($result);
}

private function set_request($request) {
$this->request = $request;
}

private function set_threshold($threshold) {
$this->threshold = $threshold;
}

private function set_ids_config($ids_config) {
$this->ids_config = $ids_config;
}

public static function init($configPath, $ids_config, $threshold,
$request) {
if (!isset(self::$instances[$configPath])) {
self::$instances[$configPath] = new idps($configPath, $ids_config,
$threshold, $request);
}
return self::$instances[$configPath];
}

public function start_ids() {
if (!$this->result->isEmpty()) {
$this->react($this->result->getImpact(), $this->threshold, $this-
>result, $this->compositeLog, $this->init);
}
}

public function get_error_msg() {
return $this->msg;
}

public function kill_app() {
if (!$this->result->isEmpty()) {
die();
return true;
} else {
return false;
}
}

}

$request = array (
'GET' => $_GET,
'POST' => $_POST,
'COOKIE' => $_COOKIE,
'SESSION' => $_SESSION
);

$request['SCRIPT_URI'] = $_SERVER['SCRIPT_URI'];
$request['REDIRECT_QUERY_STRING'] =
$_SERVER['REDIRECT_QUERY_STRING'];
$request['USER_AGENT'] = $_SERVER['HTTP_USER_AGENT'];
$request['SERVER_ADDR'] = $_SERVER['SERVER_ADDR'];

$threshold = array(
'log' => 3,
'mail' => 9,
'warn' => 27,
'kick' => 81
);

$idps = idps::init("IDS/Config/Config.ini", $cfg['IDS_config'],
$threshold, $request);

$idps->start_ids();

if(!$idps->result->isEmpty()) {
print $idps->get_error_msg() . "<br>";
print $idps->result;
}
$idps->kill_app();

This could be the problem.

On 21 Jul., 09:54, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:

> Hmmm - I need some more information: How did you pass the Arrays to ceck to
> the PHPIDS? How are they nested?
>

> On Mon, Jul 21, 2008 at 7:16 AM, sascha.wa...@googlemail.com <

[Mario Heiderich]

Hi,

I just reconstructed your case and had no problems. Let me describe:

The array I used looks like this:
$request = array('POST' => array('xjxargs' => array('<xjxobj><e><k>topic</k><v>allgemein</v></e></xjxobj>')));

So - to exclude the mentioned value you need this code:
$init->config['General']['exceptions'][] = 'POST.xjxargs.0';

I tried it and it worked as expected. The value itself doesn't trigger an alert anyway - which is correct too. When I modify the value the malicious code gets detected:

$request = array('POST' => array('xjxargs' => array('<script>alert(1)</script><xjxobj><e><k>topic</k><v>allgemein</v></e></xjxobj>')));

Did that help?

Greetings,
.mario

--
_______________________
php-ids.org

.ﻩﻨﺮﻪﺴ

[sascha...@googlemail.com]

*cheer*

Thank you now it works

Greetings,
Sascha

On 21 Jul., 10:51, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:

> Hi,
>
> I just reconstructed your case and had no problems. Let me describe:
>
> The array I used looks like this:
> $request = array('POST' => array('xjxargs' =>
> array('<xjxobj><e><k>topic</k><v>allgemein</v></e></xjxobj>')));
>
> So - to exclude the mentioned value you need this code:

> *$init->config['General']['exceptions'][] = 'POST.xjxargs.0';*

>
> I tried it and it worked as expected. The value itself doesn't trigger an
> alert anyway - which is correct too. When I modify the value the malicious
> code gets detected:
>
> $request = array('POST' => array('xjxargs' =>
> array('<script>alert(1)</script><xjxobj><e><k>topic</k><v>allgemein</v></e></xjxobj>')));
>
> Did that help?
>
> Greetings,
> .mario
>

> On Mon, Jul 21, 2008 at 10:37 AM, sascha.wa...@googlemail.com <

> ...
>
> Erfahren Sie mehr »

[Mario Heiderich]

Coolish ;)

--
_______________________
php-ids.org

.ﻩﻨﺮﻪﺴ