PHPIDS 0.5 has landed
Article written by .mario
After several weeks without releases, only smaller rule upgrades and converter patches we finally present the most recent version of the PHPIDS. Most of you would have expected the 0.4.8 – but we are throwing out 0.5 today – why is that?
Easy explanation: we’ve added a feature that has been requested very often and closes one huge gap in the protection layer the PHPIDS provides. We are talking about user input where valid HTML is allowed – even wanted. Like with WYSIWYG editors and other rich text forms. Until now the PHPIDS wasn’t able to deal with this kind of input – too many false alerts were generated and generally we recommended to add form fields with allowed HTML to the exclusions. Not good.
Those times are over – the PHPIDS 0.5 uses the HTMLPurifier to compare the original user input with the purified one to determine the differences and analyze them with the rules and the centrifuge. You can of course chose freely which fields you want to monitor the traditional way and which are allowed to contain valid HTML – just have a look at the packaged Config.ini to see how it works.
…
scan_keys = false
; define which fields contain html and need preparation before
; hitting the PHPIDS rules (new in PHPIDS 0.5)
html[] = __wysiwyg
; define which fields shouldn't be monitored
exceptions[] = __utmz
…
We tested this feature for a pretty long time – but of course not as long as the way riper components like the rules and the PHPIDS Centrifuge. So – there might be some false alerts and other minor problems to wipe out in the next releases. Please help us improving the system by submitting problems and contacting us about them via mail, forum or group.
Some other mentionable enhancements are optimizations of the Centrifuge, a lot of important fixes of the rules, optimizations of the converter, extended tests for even more reliability and several performance tweaks. Thanks to Hinnerk Altenburg from epublica the rule set is now even compatible with Perl and Python – so there are no barriers anymore for writing ports for several other languages.
So don’t hesitate too long and grab the latest packages from the downloads section. We hope you like this release as much as we do and have great fun and use detecting attacks and reacting on them however you feel like. Big thanks go to Gareth Heyes, David Lindsay and several others for their help on testing the PHPIDS and again finding exotic but working rule circumventions. Also many thanks to all the guys from OWASP Europe and ph-neutral for their excellent feedback and great discussions about the PHPIDS.
This entry was posted
on Saturday, June 7th, 2008 at 5:49 pm and is filed under PHPIDS.
You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
June 8th, 2008 at 7:17 am
“All other download links to unofficial extensions have been removed due to lack of maintenance by the authors and severe bugs / bad programming. Sorry guys.”
Nooooooooooooooo!!!… :’((((
Will Wordpress plugin be updated?
Thank you PHPIDS team!
June 8th, 2008 at 12:13 pm
I’d love to see that the WPIDS receives an update. But on the other hand it’s not so hard to use the real PHPIDS in combination with WP – if you have trouble achieving that feel free to contact us in the forum.
What I know is that the Typo3 plugin/extension will be updated soon – and then of course find its way back into our download section.
Greet8ings,
.mario
June 29th, 2008 at 10:07 am
Personal home pages = PHP. The original CGI by Rasmus Lerdorf, was originally PERL based. Andi Gutmans and Zeev Suraski rewrote the parser to make PHP 3 and the vulerabilies that exist in ANY version of PHP prior to V5.2.6 – require intense scrutiny and establishment of strict policy’s “prior” to any form of web server installation.
http://www.sans.org/top20/#s1 – please take a look at what these web application security defects actually are – you will find that PHP hold’s the crown for being the most insecure web application framework.
“By default, PHP allows file functions to access resources on the Internet using a feature called “allow_url_fopen”…. ever heard of – Remote code execution – Remote root kit installation and are you aware that on Windows, complete system compromise may be possible through the use of PHP’s SMB file wrappers?
It’s quite an admirable job that you are doing at php-ids.org and I commend you on your valiant efforts. The problem is greater than the single module which you are providing however and I feel that you have a responsibility to inform users of PHP as to what, where and why these vulerabilies exist and how to “work around” them to secure their web application servers.
I’m quite surprised to see that so few comments have been made in relation to the PHPIDS 0.5 milstone and it frustrates and annoys me that having been fortunate enough to watch the evolution of OO programming and framework’s since age 11 (I’m now 35) that the ‘real’ meaning behind all good intentions is discarded or arrogantly overlooked, by over confident people who simply fail to do their homework and understand the background or basis of what they are talking about.
Knowledge if said to be power, requires understanding and hence a decent explanation should be required. Stating the obvious only complicates the matter and fail’s to enlighten any student.
July 2nd, 2008 at 3:24 pm
Hey mrhassell,
Thanks for your comment. I agree with you in most points – yes PHP is shipped with settings that make any security affine developer or consultant just shiver. But – what I don’t get yet is what you would suggest to be an approach for solving the ‘knowledge and understanding’ problem. I’ve been doing quite a lot of talks and presentation around PHP security and most times the auditorium was interested but uniformed – even about the most easy to get issues.
I think that is because of the misconception that IT security is some kind of witchery which takes developers who know their markup and codes years to learn or even basically understand. The bridge between creating and exploiting seems more narrow for most devs – or not even existing – than you would normally expect.
So – all hope seems gone for developers who don’t want to risk a peek outside the box? How could one reach people who are not interested but should be? How to make the whole thing sexy?
Greetings,
.mario
July 10th, 2008 at 1:50 am
[...] it was written quite some time ago and published just now, so it doesn’t cover all the cool new features that are available since PHPIDS version >= 0.5. That means, you won’t find anything on allowed HTML code in user input, which PHPIDS is [...]