PHPIDS » Web Application Security 2.0

Today we released PHPIDS 0.3.2 with many exciting new features. We had some very interesting contributions from people all over the planet and most of them found their way into this release.

Johannes Dahse helped us a lot improving the SQL injection rules with tons of formerly undetected vectors and we had some great talk with Kevin Schroeder about performance which lead us to do some caching work. We were able to reach a performance boost of over 40% with caching the storage object.

Also we’d like to mention that there’s now a basic PHPIDS Wordpress plugin available written by H. Beyer and you can expect more from the BlogSecurity group soon.

SirDarckCat recently managed to XSS the PHPIDS again - with two surprisingly basic and one insanely advanced XSS vector - thanks to his advice we now feature a method to deal with faulty JS parsing in Gecko-based browsers.

Here’s a list of the majority of new features:

• Caching of the storage object
• Fewer false positives again
• Way better detection of SQL injection attacks
• Optimized CRLF detection - thanks to Stevenr from the PHPIDS forum
• Finally - a database logger based on PDO
• Basic methods to deal with faulty Firefox JS parsing
• Less lines of code

We hope you have fun with the new release and keep up the great support. Meanwhile we are hard working on the 0.4 release and the next days you can expect the alpha of the PHPIDS Typo3 extension.

PHP4IDS 0.2.1 is now available for public download. The current version includes the xml filter file from PHPIDS 0.3.1 and contains several small adjustments to resemble the PHPIDS 0.3.1 filter matching process - including the support for IDSMonitor::ScanKeys() and IDSRegexpFilter::Flags().

Furthermore an API documentation (PHPDocumentor) is included and the example.php has been updated to the latest PHPIDS tests.

The download of version 0.2.1 is available in the downloads section or via SVN http://php4ids.googlecode.com/svn/trunk/

If you have any suggestions for future improvements to PHP4IDS please contribute to our own forum area here on php-ids.org.

To ease the process of finding and removing false positives we recently updated the demo page. You can now use the form in the sidebar to submit false positives.

Those are directly sent to a DabbleDB application - a free database hosted on the DabbleDB servers. This enables easy maintainability for us and the usage of automated regression test scripts even for false positives. You can find the public views and many export formats for the (once) existing false alert data here.

We monitor the database via feedreader so if you send in a false alert it usually will be fixed in the trunk within hours or sometimes even minutes.

Again we’re proud to release the new version of the PHPIDS - 0.3.1. This release features plenty of bugfixes, enhancements in stability, performance and optimized filter rules. Here’s a list of the most important changes.

• default_filter.xml was moved into the IDS folder
• A whole bunch of false alerts was removed
• Even more false alerts were removed
• Detection rules for the most recent exploits were added - including theURI exploits, Konqueror UXSS, more complex SQLI attacks etc.
• Also the PHPIDS now provides optional key scanning - disabled by default but you can enable it using the $scanKeys property in Monitor.php
• We also enhanced the loggers to provide more comprehensive output
• Improved inline documentation to make the code more comprehensive
• The report object now features a __toString method with which you can easily dump out detected results
• And all that with less lines of code!

We hope you like the new release the same as we do - just drop us a line in the forum if you have any issues with it!

.NETIDS v.0.1.3.0 is now available and features several large changes to implementing the SecurePage class.

• Version set correctly on assembly (thanks to Albert)
• Moved scanning by SecurePage into Page_Init (thanks to Albert)
• Added new properties to SecurePage that include PostExclusions, GetExclusions, HeaderExclusions and CookieExclusions so that you can choose to exclude say “host” only from headers you can use HeaderExclusions. Of course you can still exclude from all scanners by using Exclusions.
• The event handler is no longer an abstract field meaning that you must change your declaration of public override void IDSEventHandler(Report report, SecurePage SecurePage) so that it does NOT override the base method (as this no longer exists). Instead you must declare public void IDSEventHandler(Report report, SecurePage SecurePage) and then wire this up to the event handler of the SecurePage object in Page_Init: OnIDSEvent += IDSEventHandler; This change is handy because it means that you can easily centralize IDS detection by specifying the same method for each handler rather than having hard to maintain, code duplicating methods in each page.
• ViewStateUserKey is no longer set by SecurePage. The same goes for caching values.
• Changed style of error output to conform to throw rather than re-writing page.
• Updated filter rules.

The latest binary is available at http://dotnetids.googlecode.com/files/dotnetids-bin-0_1_3_0.zip

If you have any suggestions for future improvements to .NETIDS please contribute to our own forum area here on php-ids.org.