Did someone here ever used PHP-IDS with xajax? Which kind of problems
did you get?
I know that some data generated by xajax, such as passing special
chars as ? or : inside a cdata field are captured, and displayed as a
false positive by php-ids. But I'm not even sure if it is possible to
fix it... considering that cdata itself might configure an attack.
Did you guys had any other kind of problem? Did someone ever seen the
problem mentioned or dealt with a look-like situation?
Thanks a lot!
--
Sorry for taking so long to answer.
Here are some samples of data generated with xajax that triggers the
false alerts... This data was retrieved from the firebug console:
xjxargs[] error
xjxargs[] common
xjxargs[] hostname
xjxargs[] hostname_edit
xjxargs[] <![CDATA[:??]]>
xjxfun validate
xjxr 1214843893862
*
xjxargs[] error
xjxargs[] common
xjxargs[] hostname
xjxargs[] hostname_edit
xjxargs[] <![CDATA[;]]>
xjxfun validate
xjxr 1214844022237
*
xjxargs[] error
xjxargs[] common
xjxargs[] hostname
xjxargs[] hostname_edit
xjxargs[] <![CDATA[}]]>
xjxfun validate
xjxr 1214844066904
*
And below are some samples that did not trigger the false positive. As
you might see, the problem seems to be with the CDATA attached by
xajax.
xjxargs[] error
xjxargs[] common
xjxargs[] hostname
xjxargs[] hostname_edit
xjxargs[] a
xjxfun validate
xjxr 1214844169740
*
xjxargs[] error
xjxargs[] common
xjxargs[] hostname
xjxargs[] hostname_edit
xjxargs[] b
xjxfun validate
xjxr 1214844190517
*
xjxargs[] error
xjxargs[] common
xjxargs[] hostname
xjxargs[] hostname_edit
xjxargs[] bc
xjxfun validate
xjxr 1214844208692
*
Thank you.
2008/6/26 Mario Heiderich <mario.h...@googlemail.com>:
--
Thank you for the version. I've been travelling so I couldn't test it
until now. I'll let you know if it is okey asap.
Thank you again.
2008/7/1 Mario Heiderich <mario.h...@googlemail.com>:
--
I've been trying to apply the changes you've made to not trigger the
false alert when dealing with CDATA...
I slided through the svn, into the file Converter.php. I copied the
method convertFromProprietaryEncodings, which was the one I guess you
added to deal with the CDATA problem (at least, it was explicit in the
method). I've included it to my Convert class, and though that
hopefully it would be called by the runAll during the use...
Did I made it correct?
if yes, It seems that it did not fix my problem, since I still getting
the false alert when posting such datas... here is an example I've
just tryed out:
xjxargs[] <xjxobj><e><k>insert</k><v>insert</v></e><e><k>errorh</k><v>error</v></e><e><k>hostname</k><v>ab</v></e><e><k>ip</k><v>10.2.2.22</v></e><e><k>asset</k><v>2</v></e><e><k>thresholdc</k><v>30</v></e><e><k>thresholda</k><v>30</v></e><e><k>rrd_profile</k><v></v></e><e><k>nat</k><v></v></e><e><k>nsens</k><v>1</v></e><e><k>os</k><v>Unknown</v></e><e><k>mac</k><v></v></e><e><k>macvendor</k><v></v></e><e><k>descr</k><v><![CDATA[&]]></v></e></xjxobj>
xjxfun submitForm
xjxr 1216969673959
Thank you for the help.
João.