Thanks to our community we have been able to fix a lot of rule bypasses and new attack patterns. Outstanding submissions were coming in from Hafif, who repeatedly managed to smuggle JavaScript executing HTML past our filters and fool our detection rules. Here’s one of his latest vectors – just to show on what level he is operating.

+a
>>showModelessDialog(a(0).a+a(0).nodeName+a(0).b+a(0)
.c+a(0).nodeName.toLowerCase()+a(0).d+a(0).e);
'1';"1"="1";a="1\"\n1<

Similarly outstanding was the help we got from Mike Brooks of Sitewatch some weeks ago. He submitted a full stack paper containing several major and minor PHPIDS bypasses and even delivered fix instructions and sources for us to adapt. He managed to find a critical bypass possibility in our regular expression Denial of Service (ReDoS) checker, which we optimized and fixed for 0.7. His submissions should soon be reflected in CVE entries, so stay tuned for more information – thanks a lot, Mike!

PHPIDS meanwhile ships the latest version of the HTMLPurifier, we fixed ons of false alerts reported by our fellow forum users – thanks mrblur, brosulo and many others -  and got around a UTF-7 conversion glitch reported by Ryan Barnett. The email logger had some minor problems as well – reported by ampt some weeks ago and fixed in this release.

Johannes Dahse, Roberto Salgado and other SQL Injection wizards found new SQL Injection filter bypasses – necessary for triumph the ModSecurity SQL Injection challenge. Thanks to their help we managed to refine our rules and make the PHPIDS more reliable when coming to heavily obfuscated SQL Injection vectors. Check out the blog post about the challenge to get more information about the vectors they used. Roberto additionally scored impressively with vectors like this:
1'and #
#aa
0 union#
#bb
select (select `user` from#
#cc
mysql.user limit 1)'


A lot of things have been happening in the community as well. There’s an upcoming eZ Publish PHPIDS extension created by Simon Wippich – which you can find here. Also make sure to take a look at the well maintained ZIDS project by Christian Koncilia – a PHPIDS port for the Zend Framework. At last but certainly not least, there’s the MyPHPIPS – an interesting port from Malaysia we got wind of right this morning – and interesting approach of turning the PHPIDS into a working IPS.

We hope we didn’t forget anything in this release post – feel free to drop us a line in case we did indeed. So – without further ado: go to the download area and grab yerself a fresh copy of the PHPIDS. Have fun with this release, cheers to all our contributors and have a nice weekend!

The old Trac is gone too – and has been replaced by a shiny new Redmine. Also the forum can be used again and the demo should be back to working great too.

We apologize for the downtime and the multitude of broken links. Some minor website features might still be a bit buggy such as the SSL cert which didn’t arrive yet. if you spot an issue please let us know! Thanks for all the encouraging mails and help. There a lot of stuff about to happen here in the near future, so stay tuned! Oh – and a new release is quite close to happening too!

The actual big news is that a lot more external implementations are available – the PHPIDS community has created a lot of awesome over the past few months Let’s show off a small list of what is available right now.

• ZIDS – a PHPIDS module for Zend Framework – an easy to install and use PHPIDS implementation by Christian Koncilia. It ships with a very good manual and clearly is one of the best and most well done PHPIDS ports ever written. If you use the Zend Framework make sure you check out the ZIDS
• PHPIDS goes MediaWiki – it’s a the fresh PHPIDS implementation for MediaWiki implemented and announced by the PHPIDS Forum user DocSnyder. If you run a MediaWiki and want to know what attackers throw at your website you might wanna think about having a look.
• PHPIDS for TYPO3 – Pascal Naujoks has released a new version of the PHPIDS extension for TYPO3 – it’s coming with a brand new white-list feature essential to reduce the amount of false alerts on a classic TYPO3 installation.
• Mute Screamer – PHPIDS Forum user ampt created and released a PHPIDS plug-in for WordPress easing installation and setup. It’s additionally providing a nice view showing the most recent attacks in the admin interface – and is to our knowledge the most well maintained PHPIDS WordPress plug-in.
• Hashes for rules and Converter.php – we provide hashes for the rules and the Converter easing the safe implementation of automatic update tools. PHPIDS Forum user nevstokes has created and published a shell script that does the job for you.

Last but not least the first PHPIPS – note the P instead of the D – solution has surfaced. It is still very young and fresh but has a lot of potential. Make sure to ping he developer if you wish to contribute – we will keep you posted on this project’s progress during the next weeks. So – we hope we didn’t forget to mention anyone – if that’s the case drop us a mail and we will fix it in this article.

Thanks to all contributors – make sure you crab a copy of the PHPIDS 0.6.5 from the downloads page and let us know what you think.

PHPIDS 0.6.4 includes the most recent version of the legendary HTMLPurifier – a recent cooperation allowed us to fix some mutual problems with a fierce parser bug in Internet Explorer 8 causing JavaScript execution via expression(). Also former problems with broken protocol handlers don’t exist anymore. Thanks to Roberto Salgado and Johannes Dahse an lot more SQL Injection vectors are being detected now – with fewer false positives. Additionally PHPIDS is now running on PHP 5.3 without any problems or broken tests.

The exceptions list in the Config.ini now allows using regular expressions for more granular matchings – but also supports the old and proven string method. So you don’t have to change your config file if you don’t want to.

Great news for CakePHP users – the guys from Websec Information Services created the CakePHPIDS plug-in running on CakePHP 1.3. You can have a look at the plug-in and an excellent how-to article right over here. Similar good news exist for osCommerce developers – thanks to celextel there’s an official plug-in too now which you can check out here.

So we hope the changes made the long waiting time worthwhile and you enjoy the new release version. Grab your copy on our downloads page as usual.

Also we improved the rules against new and quite exotic intrusion attempts and managed to fix a lot of false alerts too. So all in all PHPIDS 0.6.3.1 is a highly recommended stability and security release. The converter is now even better with obfuscated SQL injection attempts and we added more possibilities to customize the logger usage.

We appreciate your feedback as usual – and hope you have fun with this release. Thanks to all our forum users reporting bugs and requesting improvements – as well as to our testers and constant contributors. Now go ahead already and grab your copy from the download area.

Update:

We repackaged 0.6.3.1 to fix a packaging issue and removed 0.6.3 from distribution. Sorry for the inconvenience.

Also we managed to harden the PHPIDS against targeted regular expression DoS attacks – while at the same time reducing the memory footprint and making the whole system a wee bit faster – and less detectable from outside. All those who wish to know more about those so called ReDoS attacks might want to have a look at the excellent talk slides over here.

Thanks to all users having contributed so far – make sure to grab your fresh copy in the download area while it’s hot.

Now the PHP Intrusion Detection System is also available for the enterprise Content Management System TYPO3. PHPIDS for TYPO3 comes as a regular extension for Typo3 which makes it easy to install and configure. The main features, beside the regular features of PHPIDS, are:

• Preconfigured PHPIDS for a one-click-installation – it runs out of the box!
• A backend module which shows all the attacks listed comfortable in a table
• Easy configuration with the constant editor of your TYPO3 installation

So the only thing you have to do is update your converter and filter as usual to knock the bad guys out of your Typo3 website!

You can grab your copy of this extension in the TYPO3.org extension repository: https://typo3.org/extensions/repository/view/px_phpids/current/

Thanks for the great work go to Pascal and his team. Have fun with the extension!

We also added the latest HTMLPurifier release and made the PHPIDS compatible with the new HTMLPurifier 4 branch. So if you see some E_USER_NOTICEs thrown after upgrading this might be due to the new config syntax used in the HTMLPurifier. Be sure to check this document to learn how to fix the issue.

Some might have noticed we were mentioned in one hell of a talk during Black Hat 2009. Be sure to have a look at the slides – if you are interested in latest XSS research this is definitely for you! Also there was a presentation held in London during an OWASP chapter by Gareth Heyes and me you might want to have a look at. It’s quite PHPIDS related and also filled with a lot of hopefully interesting XSS related material.

We hope you have fun with the new release – you can find it in the downloads section (like you wouldn’t know ). Contributions and feedback are welcome as usual.

Update:

We’ve made a mistake when packaging our release and played russian doll with our tarballs (stuck one tarball into another). For safety reasons (never change a released tarball!) we just released PHPIDS 0.6.1.1 which fixes this issue and removed 0.6.1 from distribution.

The schedule can be found here – changes and other news might be announced here.

Be sure to have a look at the training sessions too:

• Crash course in Penetration Testing
• Web 2.0 Hacking – Attacks and Defense
• Social Engineering testing for IT Security professionals

Make sure you bring a decent amount of thirst – the name indicated the focus for the art of brewery and later consumption of the resulting beverage. Some rumor about a beer room, brewery visits and probably beer taps placed all over the conference area.

A lot of new formats are being not supported for de-obfuscation – including way better entity handling, more MSSQL obfuscation techniques, JavaScript backslash line breaks and a lot of other nasty things. We also optimized and fine tunes the Centrifuge to provide better results in generic attack detection.

We optimized the rules against a ton of new SQL Injection attack patterns – mostly submitted by Reiners and Roberto Salgado. Although Gareth Heyes and David Lindsay found new and very interesting ways of executing JavaScript and at the same time bypassing the PHPIDS rules – here’s some of these vectors:

this[('eva')+this.status +'l'](/xx.x.x/+name)

1' and 0x0 != mid(user(),1,1) or null/ 'null

<isindex/type=image
xyz=<iframe/src=javascript&#x3a&#x61lert&#x28&#x31&#x29>
onerror=undefined,/\//,outerHTML=xyz src=1>

Furthermore we had a lot of minor changes making sure fewer false positives are being produced. A lot of small bugs were fixed – thanks to our forum users reports and several tickets. Also Christian wrote a great article for the German print magazine c’t about the PHPIDS. A slightly abridges version can be found here.

You can grab the latest copy in the downloads section as usual. Have fun with the PHPIDS 0.6 and feel free to give us feedback and tel us what you think. And last but not least.. thanks a lot to all who helped with this and former releases!