Hi Team,
Is PHPIDS compatible with PHP 7.2? has there been any compatibility testing conducted against PHP 7.2?

Hello guys.
Can you create one wiki of your project.
How install this in my site?
I dont understand.

Seems that the latest release is 2 years ago ( https://github.com/PHPIDS/PHPIDS/releases ) .. but meanwhile changes have been made. Could there be a new release ?

Also composer shows only the dev-master release. When github has a lot more releases ...
For my project i have a minimum stability of stable, so i have problems installing this package

composer.json could require ezyang/htmlpurifier v4.5.0 instead of dev-master too

• Remove all include statements
• Depend on a lightweight autoloader
• Or: provide a simple autoloader function

https://www.ohloh.net/p/phpids

While PHPIDS should still work as easy as possible out of the box it should as well integrate easily with third-party frameworks and existing software already providing infrastructure services like caching, reading configuration files and so on. Current PHPIDS tries to do all of that.

• Get rid of IDS_Init
• Get mostly rid of IDS_Config_*, only support a PHP config file and support a bridges for framework integration
• Get mostly rid of IDS_Cache_* and only support a simple file based caching layer. Provide bridges to other caching solutions
• Get rid of IDS_Log_* and support bridges to existing loggers
• Expose middleware for wider spread frameworks

Is there any way to map MonitorTest.php payloads to specific filters? I want to try and test out each individual filter with live payload tests but I am unsure which test payloads would match which filter.

ids 36, 61, 66 are missing here
https://github.com/PHPIDS/PHPIDS/blob/master/lib/IDS/default_filter.xml

Long time ago I already describe my problem on PHPIDS forum:
http://forum.itratos.de/showthread.php?38103-Bug-in-RegExp
but unfortunately forum is inactive.

Below rule matches any word which start with top|this|window|content|self|frames|_content.
Example:
http://www.example.com/?location=path%3Dtopic
In my view behavior like this is wrong and not acceptable.

<filter>
<id>22</id>
<rule>
<![CDATA[
(?:=\s*(?:top|this|window|content|self|frames|_content))|(?:\/\s*[gimx]*\s*[)}])|(?:[^\s]\s*=\s*script)|(?:\.\s*constructor)|(?:default\s+xml\s+namespace\s*=)|(?:\/\s*\+[^+]+\s*\+\s*\/)
]]>
</rule>
<description>
Detects advanced XSS probings via Script(), RexExp, constructors and XML namespaces
</description>
<tags>
<tag>xss</tag>
<tag>csrf</tag>
<tag>id</tag>
<tag>rfe</tag>
</tags>
<impact>5</impact>
</filter>

Rule 45 can't be parsed - I spent a bit of time on the expression, but can't nail down the problem.

<filter>
    <id>45</id>
    <rule><![CDATA[(?:union\s*(?:all|distinct|[(!@]*)?\s*[([]*\s*select)|(?:\w\s+like\s+\")|(?:like\s*"\%)|(?:"\s*like\W*["\d])|(?:"\s*(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w]+=\s*\w+\s*having)|(?:"\s*\*\s*\w+\W+")|(?:"\s*[^?\w\s=.,;)(]+\s*[(@"]*\s*\w+\W+\w)|(?:select\s*[\[\]()\s\w\.,"-]+from)|(?:find_in_set\s*\()]]></rule>
    <description>Detects basic SQL authentication bypass attempts 2/3</description>
    <tags>
        <tag>sqli</tag>
        <tag>id</tag>
        <tag>lfi</tag>
    </tags>
    <impact>7</impact>
</filter>

Both files have the same SHA1 hash by the links on the PHPIDS website https://phpids.org/hash.php?f=default_filter.xml and the link for Converter both list the same SHA1 hash which is different than both of the files if downloaded. This may be to the fact of the github switch for repositories too. The incorrect hash causes the autoupdate script to fail in the examples included with PHPIDS.

On cPanel servers, there is a huge false positive with filter Number 16

<filter>
    <id>16</id>
    <rule><![CDATA[([^*\s\w,.\/?+-]\s*)?(?<![a-mo-z]\s)(?<![a-z\/_@])(\s*return\s*)?(?:alert|inputbox|showmod(?:al|eless)dialog|showhelp|infinity|isnan|isnull|iterator|msgbox|executeglobal|expression|prompt|write(?:ln)?|confirm|dialog|urn|(?:un)?eval|exec|execscript|tostring|status|execute|window|unescape|navigate|jquery|getscript|extend|prototype)(?(1)[^\w%"]|(?:\s*[^@\s\w%",.:\/+\-]))]]></rule>
    <description>Detects possible includes and typical script methods</description>
    <tags>
        <tag>xss</tag>
        <tag>csrf</tag>
        <tag>id</tag>
        <tag>rfe</tag>
    </tags>
    <impact>5</impact>
</filter>

its filling the log with

Log line: /whm-server-status?auto
Matching Regexp:([^_\s\w,.\/?+-]\s_)?(?<![a-mo-z]\s)(?<![a-z/@])(\s_return\s)?(?:alert|inputbox|showmod(?:al|eless)dialog|showhelp|infinity|isnan|isnull|iterator|msgbox|executeglobal|expression|prompt|write(?:ln)?|confirm|dialog|urn|(?:un)?eval|exec|execscript|tostring|status|execute|window|unescape|navigate|jquery|getscript|extend|prototype)(?(1)[^\w%"]|(?:\s*[^@\s\w%",.:\/+-]))
Reason: Detects possible includes and typical script methods

And there is another bug with filter number 23

<filter>
    <id>23</id>
    <rule><![CDATA[(?:\.\s*\w+\W*=)|(?:\W\s*(?:location|document)\s*\W[^({[;]+[({[;])|(?:\(\w+\?[:\w]+\))|(?:\w{2,}\s*=\s*\d+[^&\w]\w+)|(?:\]\s*\(\s*\w+)]]></rule>
    <description>Detects JavaScript location/document property access and window access obfuscation</description>
    <tags>
        <tag>xss</tag>
        <tag>csrf</tag>
    </tags>
    <impact>5</impact>
</filter>

Log line: /actions.php?mode=find&id=3081&ip=[IP.Address.Here]
Matching Regexp:(?:.\s_\w+\W_=)|(?:\W\s_(?:location|document)\s_\W[^({[;]+[({[;])|(?:(\w+?[:\w]+))|(?:\w{2,}\s_=\s_\d+[^&\w]\w+)|(?:]\s_(\s_\w+)
Reason: Detects possible includes and typical script methods

Is there anyway to reduce this effect or i should just disable the those 2 filters?

PS: sorry for my bad English skills

The middle-part of this filter will never ever match to anything

(?:^[\w\s"-]+(?<=and\s)(?<=or\s)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=||)(?<=&&)\w+()

the string would have to match for and, or, xor, nand, not, || and && at the same time, if i',m not wrong

http://phpids.org/docs/ > all the Files such as Composite.php -> Access denied.

HI

I just found this great library! Thanks! It's what I was looking for last days.
However, I can't find docs on how to implment on my site.

Can someone let me know if exist some complete tutorial?

Thanks!!

It would be nice to support auto updating rules. Two general modes should be supported:

• Cron job that is triggered asynchronously
• Update during request

Considerations:

• Only fetch ruleset via SSL and do proper certificate validation
• How to make sure the update endpoint is highly available?
• How to make sure to not block requests via updated?

Hi.

I am getting this error:

Catchable fatal error: Argument 1 passed to IDS\Monitor::__construct() must be an instance of IDS\Init, array given

If not, what are the alternatives? Are you looking for contributors?

.. could you add it? Right now one has no idea which commit marks the public 0.7 release.

https://demo.phpids.org/

Code:
https://svn.itratos.de/svn/php-ids/ or https://github.com/PHPIDS/PHPIDS

Issues/bugs/tasks/wishes:
https://dev.itratos.de/projects/php-ids/ or https://github.com/PHPIDS/PHPIDS/issues?state=open

M ;-)

parameter=1%20OR%201=1 can be caught

but not this (just added minus before number):
parameter=-1%20OR%201=1

I'm using the snippet/module for modx from Stefanie Stölting.
At the moment there are attacks comming from different IP-addresses

202.46.50.101
202.46.61.106
202.46.63.65

I would like to make only one entry to block every attack coming from 202.46..

Is there a regular expression?

I'm not familiar with regex....

Thank you for your help.

Sepppl

Hey guys!

I have such value: 104500034.1390883398.1.1.utmcsr=samgtu.ru|utmccn=(referral)|utmcmd=referral|utmcct=\/

which false positive detected with rule 23 (Detects JavaScript location/document property access and window access obfuscation).

Any ideas how to resolve this? This value came from web-set cookie I prefer to check too. Can cookies contain such type of attack?

Thanks!

after parsing typical charcodes we arrive at 'if (preg_match_all('/(?:(?:[]+\d+[ \t]*){8,})/ims', $value, $matches)) {' (https://github.com/PHPIDS/PHPIDS/blob/master/lib/IDS/Converter.php#L171)

This regex is likely broken as it will detect
\ literally
] literally

• literally
  \d match a digit [0-9]
  +[ literally
  \t

This is due to a triple slash.

Additionally, this doesn't seem to reflect how octal chars are provided to fromCharCode()

Hi!

So to get a better ranking here: https://www.ohloh.net/tags/ids

We should use: https://www.ohloh.net/p/phpids/widgets

This is why it's important:
http://info.tiki.org/article168-Support-Tiki-and-your-favorite-Free-Open-Source-projects-on-Ohloh-net

Best regards,

M ;-)

Adhere to PSR-1 (https://github.com/pmjones/fig-standards/blob/psr-1-style-guide/proposed/PSR-1-basic.md) and PSR-2 (https://github.com/pmjones/fig-standards/blob/psr-1-style-guide/proposed/PSR-2-advanced.md) coding standards.

I'm a newer to PHPIDS. I have downloaded the source codes. However, I wonder how to use the PHPIDS. I can not find the docs related to installation and usage under the directory. PLS give me some help. Thanks

See source of http://phpids.org/ <meta name="description" content="Welcome to php-ids.org

Hi. I have an intranet where users can edit chunks of markdown formatted text and save it back in the database. On submitting the edit form, Filter 15 (Detects JavaScript DOM/miscellaneous properties and methods) can take up to 2 seconds to run, and it appears to run twice. Is there a way to simplify the regex so it tuns faster?

PS Thanks for a great tool! Really appreciate the work you have put in!

Hi,

I think its better to implement PSR 7 ServerRequestInterface in PHPIDS, so it can be implemented as middleware

Looks like the documentation is not up to dated. The code snippet on https://phpids.org/faq/ is wrong as the new code uses namespace

  require_once 'IDS/Init.php';
  $request = array(
      'REQUEST' => $_REQUEST,
      'GET' => $_GET,
      'POST' => $_POST,
      'COOKIE' => $_COOKIE
  );
  $init = IDS_Init::init('IDS/Config/Config.ini');
  $ids = new IDS_Monitor($request, $init);
  $result = $ids->run();

  if (!$result->isEmpty()) {
   // Take a look at the result object
   echo $result;
  }

It should be:

  require_once 'IDS/Init.php';
  $request = array(
      'REQUEST' => $_REQUEST,
      'GET' => $_GET,
      'POST' => $_POST,
      'COOKIE' => $_COOKIE
  );
  $init = \IDS\Init::init('IDS/Config/Config.ini');
  $ids = new \IDS\Monitor($request, $init);
  $result = $ids->run();

  if (!$result->isEmpty()) {
   // Take a look at the result object
   echo $result;
  }

We have a form where visitors can simply enter week numbers in a single text input.
IDS/Converter converts the string 28,29,30,31,32,33,34,35 to 28,29,30,31,32,33,34,35 ���� !"# $[!!!] (bin2hex is 32382c32392c33302c33312c33322c33332c33342c33350a1c1d1e1f20212223).
The last line is added by runCentrifuge The middle one is added by convertFromJSCharcode (perhaps one character is added by another method, could have been a fluke).

convertFromJSCharcode is checking exactly for comma separated char codes.

The problem is of course that 22,23,24, etc, when long enough, is perfectly valid form data.
I guess this simply can't be fixed. Because it is also potential bad data.

I am trying to install PHPIDS in Yii2 Basic, but the problem is that yii2 requiere htmlpurifier 4.6.* and PHPIDS require htmlpurifier dev-master.

How can I fix this problem ???

Use Travis CI (https://travis-ci.org/) for continuous integration.

The demo.phpids.org smoketest doesn't seem to be working.

https://demo.phpids.org/?test=%3Cscript%3Ealert%28document.cookie%29%3C/script%3E

It doesn't generate any alerts/events.

Is this demo not functioning correctly?

is

$init = Init::init('path/to/Config.ini');
$ids = new Monitor($request, $init);
$result = $ids->run();

should be

$init = Init::init('path/to/Config.ini');
$ids = new Monitor($init);
$result = $ids->run($request);

It's unable to write to the default_filter.cache which for some reason changes user:group to root:root sometimes after I copy over files from my local editor (in Mac) to the external Linux box through FTP (which also changes those files' user:group to root:root even though I set the docroot's files recursively to user lighttpd).

The source code is below (version 0.5.6) and of course the path to it is in the page error below that; I don't know why this is happening or how to prevent any of the files being changed to root user:

        if (file_exists($this->path) && !is_writable($this->path)) {
            throw new Exception('Make sure all files in ' . 
            htmlspecialchars($this->path, ENT_QUOTES, 'UTF-8') . 
                'are writeable!');
        }

We apologize, but an error occurred while processing your booking. Please try your search again. If the problem continues to occur, please contact us.

Date/Time
2018-07-10 04:56:09 PM
URL
/
Script
/index.html
Server
192.168.xx.xx
IP Address
192.168.x.xxx
Browser
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
Exception
exception 'Exception' with message 'Make sure all files in /var/www/html/xxx/libraries/phpids/lib/IDS/tmp/default_filter.cacheare writeable!' in /var/www/html/xxx/libraries/phpids/lib/IDS/Caching/File.php:99
Stack trace:
#0 /var/www/html/xxx/libraries/phpids/lib/IDS/Caching/File.php(116): IDS_Caching_File->__construct('storage', Object(IDS_Init))
#1 [internal function]: IDS_Caching_File::getInstance('storage', Object(IDS_Init))
#2 /var/www/html/xxx/libraries/phpids/lib/IDS/Caching/Factory.php(80): call_user_func(Array, 'storage', Object(IDS_Init))
#3 /var/www/html/xxx/libraries/phpids/lib/IDS/Filter/Storage.php(106): IDS_Caching::factory(Object(IDS_Init), 'storage')
#4 /var/www/html/xxx/libraries/phpids/lib/IDS/Monitor.php(189): IDS_Filter_Storage->__construct(Object(IDS_Init))
#5 /var/www/html/xxx/libraries/ids.php(33): IDS_Monitor->__construct(Array, Object(IDS_Init))
#6 /var/www/html/xxx/index.html(30): include_once('/var/www/html/e...')
#7 {main}

Seen on phpids.org:

Fresh files

Download freshest rules and converter:

default_filter.xml
updated 1 second ago ATOM SHA1

Converter.php
updated 1 second ago ATOM SHA1

excuse
i'm curious that how to define the impact level (rating)
example:
format string
4
why this attack impact is 4 ?
is based on what standard to define this attack impact is 4 ?
thanks

Hello!
Please, help me!

I'm try use in config.ini:
exceptions[] = /POST.visual_PROPx82_x_([0-9]*)$/

But i have error:
Fatal error: Uncaught exception 'Exception' with message 'Please make sure the folder is writable' in /home/a/artema9p/phpids2/lib/IDS/Monitor.php:217 Stack trace: #0 /home/a/artema9p/phpids2/phpids.php(89): IDS_Monitor->__construct(Array, Object(IDS_Init)) #1 {main} thrown in /home/a/artema9p/phpids2/lib/IDS/Monitor.php on line 217

It's normal?

Current unit tests are broken. Going to fix them before refactoring existing code:

[jay] /var/www/git/PHPIDS] (master)>  phpunit -c phpunit.xml.dist 
PHPIDS TestSuite configuration:

Filter type:            xml
Filter set:             /var/www/git/PHPIDS/lib/IDS/default_filter.xml
Temporary directory:    /tmp/IDS_1360097980.7309
Configuration:          /var/www/git/PHPIDS/lib/IDS/Config/Config.ini.php

PHPUnit 3.6.10 by Sebastian Bergmann.

Configuration read from /var/www/git/PHPIDS/phpunit.xml.dist

..EE............................................................. 65 / 99 ( 65%)
..................................

Time: 01:04, Memory: 20.00Mb

There were 2 errors:

1) IDS\Tests\CachingTest::testCachingFileSetCache
Exception: Temp directory tmp/default_filter.cache seems not writable

/var/www/git/PHPIDS/lib/IDS/Caching/FileCache.php:134
/var/www/git/PHPIDS/tests/IDS/Tests/CachingTest.php:53

2) IDS\Tests\CachingTest::testCachingFileGetCache
Exception: Temp directory tmp/default_filter.cache seems not writable

/var/www/git/PHPIDS/lib/IDS/Caching/FileCache.php:134
/var/www/git/PHPIDS/tests/IDS/Tests/CachingTest.php:63

FAILURES!
Tests: 99, Assertions: 2259, Errors: 2.

Generating code coverage report, this may take a moment.

Something like this:
http://forum.itratos.de/showthread.php?37550-PHPIDS-now-part-of-Tiki-Wiki-CMS-Groupware-(tiki.org)

Another example:
https://phpids.org/2009/09/02/phpids-for-typo3/

The PHP error Only variables should be passed by reference is generated by IDS\Caching\DatabaseCache on line 267 because of attempt to bind the return value of a function with bindParam() instead of bindValue().

It is possible to circumvent the IDS filter using the following vectors:

<p onmouseover=-a() ></p>
<p onmouseover=(a()) ></p>
<p onmouseover=;a() ></p>
<p onmouseover=!a() ></p>

Other types of events can also be use used for the attack (e.g. "onClick").

The vulnerability is allowed because the filter requires an alphanumeric character (and the symbols "_" "$") after an event followed by the "=" symbol in order to flag the input as an attack and increase the impact. By adding a symbol that does not break the JavaScript syntax (such as the "-" or the parenthesis "()" ) just after the "=" character permits an adversary to bypass this pattern check. Rules 71, 27, 2 and 65 are related to this insufficient pattern match. It is recommended to extend these regular expressions in order to also include the symbols in the accepted pattern.

Manage dependencies via Composer (http://getcomposer.org). Include HTMLPurifier (http://htmlpurifier.org/) via Composer only. Provide a simple tutorial on how to use PHPIDS without composer still.

• Convert code base to PHP 5.3 namespaces
• Provide a compatibility layer? (by extending the classes?)