/**
**********************************************************************
* ASTALAVISTA Webapp Intrusion Detection/Response System
*
* @copyright ASTALAVISTA SECURE CMS - 2003 Astalavista Group GmbH
* @author Ivan Schmid <*****@*****.**>
* @version 1.2 26.03.03
* @module core
********************************************************************** /
**********************************************************************
* Astalavista Web Intrusion Detection System (common filter)
*
* @param array untrusted array gpcs (GET/POST/SERVER/COOKIES/usw)
* @return string attack type
* @return string file
* @return string line
* @version 1.2 26.03.03
* @module core
**********************************************************************
*/
function securityIDS($array = array())
{
global $excludeFromIDS;
if (count($array)) {
foreach ($array as $key => $untrustedValue) {
$exclude = false;
for ($i = 0; $i < count($excludeFromIDS); $i++) {
if (stristr($key, $excludeFromIDS[$i])) {
$exclude = true;
}
//echo "$key = $untrustedValue <br>";
}
if (!$exclude) {
if (is_array($untrustedValue)) {
$trustedValue[$key] = securityIDS($array[$key]);
} else {
$attackType = "Unknown Web Attack";
$attack = 0;
if (eregi("<[^>]*script*\"?[^>]*>", $untrustedValue) || eregi("<[^>]*xml*\"?[^>]*>", $untrustedValue) || eregi("<[^>]*style*\"?[^>]*>", $untrustedValue) || eregi("<[^>]*form*\"?[^>]*>", $untrustedValue) || eregi("<[^>]*window.*\"?[^>]*>", $untrustedValue) || eregi("<[^>]*alert*\"?[^>]*>", $untrustedValue) || eregi("<[^>]*img*\"?[^>]*>", $untrustedValue) || eregi("<[^>]*document.*\"?[^>]*>", $untrustedValue) || eregi("<[^>]*cookie*\"?[^>]*>", $untrustedValue) || eregi(".*[[:space:]](or|and)[[:space:]].*(=|like).*", $untrustedValue) || eregi("<[^>]*object*\"?[^>]*>", $untrustedValue) || eregi("<[^>]*iframe*\"?[^>]*>", $untrustedValue) || eregi("<[^>]*applet*\"?[^>]*>", $untrustedValue) || eregi("<[^>]*meta*\"?[^>]*>", $untrustedValue)) {
$attack = 1;
$attackType = "Potential Cross-Site-Scripting Attack";
}
if (preg_match("/;/", $untrustedValue) || preg_match("/'/", $untrustedValue)) {
$attack = 1;
$attackType = "Potential SQL Injection Attack";
}
if ($attack == 1) {
if (!get_magic_quotes_runtime()) {
$trustedValue[$key] = htmlspecialchars($untrustedValue, ENT_QUOTES);
}
} else {
$trustedValue[$key] = $untrustedValue;
}
}
} else {
$trustedValue[$key] = $untrustedValue;
}
}
}
return $trustedValue;
}
$excludeFromIDS = array ( "pgn_text_CONTENT", "pgn_cal_appointment_DESCRIPTION", "htxt_", "phpedit" ); // running intrusion detection if (is_array($_GET)) $_GET = securityIDS($_GET); if (is_array($_POST)) $_POST = securityIDS($_POST); if (is_array($_COOKIE)) $_COOKIE = securityIDS($_COOKIE); //if (is_array($_SERVER)) $_SERVER = securityIDS($_SERVER); //if (is_array($_ENV)) $_SERVER = securityIDS($_ENV); // setting version $nx_version = "4.5.0.220"; // Global variables // database related $recordsets = null; $insertstatements = null; $updatestatements = null; $deletestatements = null; $rawstatements = null; $oids = null;