PHPIDS » Web Application Security 2.0

We are pleased to announce the long overdue new WPIDS release. This package is supposed to be a bug-fix release, since several problems were reported and have been wiped out. Here’s a small list of the most important issues:

• In previous versions XML-RPC was blocked completely, now you have a option to enable/disable it
• The search now works for non English chars. Before the fix all non English characters where dropped
• A bug within the logging facility caused it that all logged entries were added with a lower impact than supposed to be

Of course this version ships with the latest PHPIDS version which is currently 0.4.7. Anyway they’re still lots of work to do. For example the login page is displayed with some error/warning message. Also it turned out to not be very wise to check on the HTTP_REFERER since it throws too many false alerts.

Since the mentioned problems don’t affect your site’s security nor work flow, are they planned to resist up to the next bigger release. The next release is planned to be the Version 0.2 of WPIDS, which will be completely rewritten. Some features of Lockdown - the embedded sister project - will be kept and will be manages as opt out. Furthermore Version 0.2 will come with more granular maintenance and configuration options.

The download is available as Full Package, or you can get it from the SVN.

We are glad to announce the freshest release of the PHPIDS. As you might have expected we did a lot of work optimizing the converter and the centrifuge again. Also the rules were improved slightly to catch several sophisticated SQL Injection vectors Johannes Dahse submitted. Again we have to thank David Lindsay, Gareth Heyes and others for their great work. The system wouldn’t even be as half as good without their contributions and intense testing.

The PHPIDS now performs way better when dealing with UTF7 XSS and especially data URIs with mixed encoding. Gareth and his outstanding Hackvertor managed to create some weird but sophisticated examples of how data URIs can be obfuscated to the max. Don’t forget to check out his amazing tool.

The PHPIDS now also ’speaks’ Base64 - so no vector obfuscation with this encoding anymore, bad guys! The count of false alerts has decreased amazingly with the new rules so if an incoming string was detected as suspicious by the PHPIDS you can almost be 99% sure that it was an intrusion attempt.

We’d also like to thank the community from our forum for the help on optimizing the system and adding improvements here and there. Be sure to grab the latest packages here - again no API changes by the way so patching will work without any problems.

Today we finished the PHPIDS white-paper which was created as a reaction on the CFP for OWASP Europe Conference 2008 in Belgium.

The paper includes general project information, installation tips and detailed insights into the attack detection work flow. Also the paper features an explanation of the PHPIDS Centrifuge as well as some best practices on how to work with the impact and discussion about server performance issues.

Comments on the document are highly appreciated - so feel free to contact us if questions pop up. We hope this paper sheds some light on the black majick of the attack detection mechanisms the PHPIDS features which separate it from comparable monitoring solutions.

You can find the paper here.

Edit 2008-04-30:

Here’s the most recent version - great thanks to David Lindsay for helping out with proof reading and wording issues.