PHPIDS » Web Application Security 2.0

It’s been quite a while since we released the 0.6.3 – and a lot of things happened during the past months. The PHPIDS has experienced several small but very important changes – including the obligatory detection or more attack patterns thanks to the incredible submissions by LeverOne and Gareth Heyes as well as and major performance optimizations. Especially the “Harmless HTML allowed” mode has been overhauled and optimized – less looping, better detection rates and way faster scanning.

PHPIDS 0.6.4 includes the most recent version of the legendary HTMLPurifier – a recent cooperation allowed us to fix some mutual problems with a fierce parser bug in Internet Explorer 8 causing JavaScript execution via expression(). Also former problems with broken protocol handlers don’t exist anymore. Thanks to Roberto Salgado and Johannes Dahse an lot more SQL Injection vectors are being detected now – with fewer false positives. Additionally PHPIDS is now running on PHP 5.3 without any problems or broken tests.

The exceptions list in the Config.ini now allows using regular expressions for more granular matchings – but also supports the old and proven string method. So you don’t have to change your config file if you don’t want to.

Great news for CakePHP users – the guys from Websec Information Services created the CakePHPIDS plug-in running on CakePHP 1.3. You can have a look at the plug-in and an excellent how-to article right over here. Similar good news exist for osCommerce developers – thanks to celextel there’s an official plug-in too now which you can check out here.

So we hope the changes made the long waiting time worthwhile and you enjoy the new release version. Grab your copy on our downloads page as usual.

Time to announce a new release of the PHPIDS. Upgrading is highly recommended since this release features several security fixes against not yet published but working attack patterns. Don’t miss the PHP specific talks at this years POC in Korea in early November to learn more about. Furthermore several bugs with the JSON mode were fixed thanks to the reports and feedback of our forum users.

Also we improved the rules against new and quite exotic intrusion attempts and managed to fix a lot of false alerts too. So all in all PHPIDS 0.6.3.1 is a highly recommended stability and security release. The converter is now even better with obfuscated SQL injection attempts and we added more possibilities to customize the logger usage.

We appreciate your feedback as usual – and hope you have fun with this release. Thanks to all our forum users reporting bugs and requesting improvements – as well as to our testers and constant contributors. Now go ahead already and grab your copy from the download area.

Update:

We repackaged 0.6.3.1 to fix a packaging issue and removed 0.6.3 from distribution. Sorry for the inconvenience.

Today PHPIDS 0.6.2 was born so we’re pleasured to announce this important release to the public. PHPIDS 0.6.2 can be considered as a bug-fix release – taking care of several minor and major problems. Among other issues we fixed a bug with the key scanning feature and extended the rules to detect more attack patterns. Thanks to Philip Clarke for helping enhance the rules detecting library based XSS.

Also we managed to harden the PHPIDS against targeted regular expression DoS attacks – while at the same time reducing the memory footprint and making the whole system a wee bit faster – and less detectable from outside. All those who wish to know more about those so called ReDoS attacks might want to have a look at the excellent talk slides over here.

Thanks to all users having contributed so far – make sure to grab your fresh copy in the download area while it’s hot.

Pascal Naujoks just dropped us a line today about the PHPIDS for TYPO3. Here’s what he wrote:

Now the PHP Intrusion Detection System is also available for the enterprise Content Management System TYPO3. PHPIDS for TYPO3 comes as a regular extension for Typo3 which makes it easy to install and configure. The main features, beside the regular features of PHPIDS, are:

• Preconfigured PHPIDS for a one-click-installation – it runs out of the box!
• A backend module which shows all the attacks listed comfortable in a table
• Easy configuration with the constant editor of your TYPO3 installation

So the only thing you have to do is update your converter and filter as usual to knock the bad guys out of your Typo3 website!

You can grab your copy of this extension in the TYPO3.org extension repository: https://typo3.org/extensions/repository/view/px_phpids/current/

Thanks for the great work go to Pascal and his team. Have fun with the extension!

We are happy to announce the latest official release of the PHPIDS. This time we added tons of bug-fixes for issues reported by our users such as better compatibility with PHP 5.2.0 for the Debian Etch crowd, optimized caching features, a lot of tidying and of course fixes against latest filter rule circumventions. Credits and thanks go out to gwinger, thornmaker, Eduardo Vela, Gareth Heyes and Roberto Salgado. Of course also many thanks to all other users submitting bugs and improvements during the last weeks.

We also added the latest HTMLPurifier release and made the PHPIDS compatible with the new HTMLPurifier 4 branch. So if you see some E_USER_NOTICEs thrown after upgrading this might be due to the new config syntax used in the HTMLPurifier. Be sure to check this document to learn how to fix the issue.

Some might have noticed we were mentioned in one hell of a talk during Black Hat 2009. Be sure to have a look at the slides – if you are interested in latest XSS research this is definitely for you! Also there was a presentation held in London during an OWASP chapter by Gareth Heyes and me you might want to have a look at. It’s quite PHPIDS related and also filled with a lot of hopefully interesting XSS related material.

We hope you have fun with the new release – you can find it in the downloads section (like you wouldn’t know ). Contributions and feedback are welcome as usual.

Update:

We’ve made a mistake when packaging our release and played russian doll with our tarballs (stuck one tarball into another). For safety reasons (never change a released tarball!) we just released PHPIDS 0.6.1.1 which fixes this issue and removed 0.6.1 from distribution.

The banner below says most that has to be said. Parts of the PHPIDS team and some of it’s best challengers and supporters will be at the BruCon 2009 late middle of September in Bruxelles.

The schedule can be found here – changes and other news might be announced here.

Be sure to have a look at the training sessions too:

• Crash course in Penetration Testing
• Web 2.0 Hacking – Attacks and Defense
• Social Engineering testing for IT Security professionals

Make sure you bring a decent amount of thirst – the name indicated the focus for the art of brewery and later consumption of the resulting beverage. Some rumor about a beer room, brewery visits and probably beer taps placed all over the conference area.

It’s been a while since we released the latest version of the PHPIDS. We had tons of microscopic changes in the rules and the Converter during the last weeks and months so we decided to wait a little bit to have a diff large enough legitimizing the jump from 0.5.4 to 0.6.

A lot of new formats are being not supported for de-obfuscation – including way better entity handling, more MSSQL obfuscation techniques, JavaScript backslash line breaks and a lot of other nasty things. We also optimized and fine tunes the Centrifuge to provide better results in generic attack detection.

We optimized the rules against a ton of new SQL Injection attack patterns – mostly submitted by Reiners and Roberto Salgado. Although Gareth Heyes and David Lindsay found new and very interesting ways of executing JavaScript and at the same time bypassing the PHPIDS rules – here’s some of these vectors:

this[('eva')+this.status +'l'](/xx.x.x/+name)

1' and 0x0 != mid(user(),1,1) or null/ 'null

<isindex/type=image
xyz=<iframe/src=javascript&#x3a&#x61lert&#x28&#x31&#x29>
onerror=undefined,/\//,outerHTML=xyz src=1>

Furthermore we had a lot of minor changes making sure fewer false positives are being produced. A lot of small bugs were fixed – thanks to our forum users reports and several tickets. Also Christian wrote a great article for the German print magazine c’t about the PHPIDS. A slightly abridges version can be found here.

You can grab the latest copy in the downloads section as usual. Have fun with the PHPIDS 0.6 and feel free to give us feedback and tel us what you think. And last but not least.. thanks a lot to all who helped with this and former releases!

Arshan Dabirsiaghi is a guy who is almost always wrong. Almost. Today he was right the first time for a pretty long time. He was right when stating that I (.mario – not christ1an or Lars) would hate him for dragging me into this 7 things meme thing. Anyway – here’s what’s asked for

We all know the rules for this game – add a back-link for the one who forced you into doing this, state seven more or less personal things about oneself and what’s making this meme so ultimately dangerous: lure seven other people into it. So – let’s just start to get this over with.

• I collected stamps as child. And coins. And phone-cards. Seriously. I started when being about five years old and quit like three or four years later. I have no comparable hobbies today.
• I consider Apocalypse Now! the best movie I have ever seen – and I saw it more than five times. Directly followed by Fight Club – both masterpieces about human behavior in several interesting situations, the past, the future and things that will never change no matter how hard we try.
• The basic idea for the PHPIDS approached when being on a conference and trying to hack a dating site – which surprisingly detected my dirty attempts and warned me. I was that impressed that I wanted to have such a feature for my own sites – the PHPIDS was born.
• I love Aqua Teen Hunger Force. I know – it’s damn 2002 and pretty childish – but the Freudian styled characters – especially Meatwad – get me any time I watch it again. I also dig the other stuff from Williams Street. They really pushed the limit and made me enjoy TV again – at least the American broadcastings.
• I still have nightmares then and when taking me back to the time at the university. Mostly I am happy in these dreams that all the work has been done – and then suddenly I realize that I missed one important exam. Usually I am pretty glad when waking up and slowly fade back to reality. I should visit someone for professional help. Maybe Arshan.
• I love the Big King XXL. That burger-monster from… you know it. I feel guilty while eating it. I feel bad after eating it. I have nightmares the night after (mostly about missed exams… Arshan!) – but I nevertheless like it and eat once or twice a month. Irritating? Yes.
• Right know I am damn happy about the most important decision I made last year. Quitting my job. Finally being able again to create things that either make sense – and not only circumvent existing structures and living patterns for their own sake feels great – and shows me what I missed and learned at the same time.

What – that’s it. Now for the hardest part of this 7 thing task. Bringing misery over seven other people. Here they are:

• fukami – because all the other stuff on your blog is plain boring
• Reiners – if I were a database I would just run when seeing you around. Just run.
• christ1an – I am just curious what you will write.
• kuza55 – the youngest troll I know.
• Click.. – erm – RSnake – for the whole RSnaking.. erm Clickjacking buzz.
• teemow – for being an old man in very tight and short jeans.
• Tim – for making you blog about something else than food recipes.

We thought about adding a Christmas reference to the headline – something like the “Rupert Release” or even worse but thankfully we stopped our selves just in time. So – without further jibber-jabber – here it is – PHPIDS 0.5.4. This is the last minor release before 0.6. The release features a bug fix against a buffer overflow problem with mb_string functions Gareth Heyes informed us about just this morning. Also the HTMLPurifier has been upgraded to its most current release version.

Furthermore we had a ton of smaller bug fixes and performance improvements. David Lindsay and Gareth Heyes also found some more really esoteric circumventions of the XSS detection – that we fixed of course. Some bugs in the logging and caching system have been wiped out – thanks to the help of our forum users and Hinnerk Altenburg from epublica who detected several smaller performance bottlenecks. So you will benefit from better performance, robustness, more logging options, finally working database caching and a lot more details.

We wish you a lot of fun with new release – which you can find in the download area as usual – and hope for your feedback. Also don’t hesitate to send in feature requests for the coming 0.6. We also wish you a great new year to come and happy holidays!

Not much more to say. German readers – feel free to grab a copy to make yourself happy and us incredibly rich

About 620 pages of content pennied by parts of the PHPIDS team and other experts from the web security sector combining more than one year of hard work, sweat, soul and tears. Click the image link to learn more.

Since we have some more free time now you can expect a new relase of the PHPIDS during the next days too. We are getting closer and closer to 0.6 so stay tuned for more news.