/** 
 ********************************************************************** 
 * ASTALAVISTA Webapp Intrusion Detection/Response System 
 * 
 * @copyright ASTALAVISTA SECURE CMS - 2003 Astalavista Group GmbH 
 * @author    Ivan Schmid <*****@*****.**>               
 * @version   1.2 26.03.03                                             
 * @module    core 
 ********************************************************************** /
 ********************************************************************** 
 * Astalavista Web Intrusion Detection System (common filter) 
 * 
 * @param    array  untrusted array gpcs (GET/POST/SERVER/COOKIES/usw)   
 * @return   string attack type 
 * @return   string file 
 * @return   string line 
 * @version  1.2 26.03.03 
 * @module   core 
 ********************************************************************** 
 */
function securityIDS($array = array())
{
    global $excludeFromIDS;
    if (count($array)) {
        foreach ($array as $key => $untrustedValue) {
            $exclude = false;
            for ($i = 0; $i < count($excludeFromIDS); $i++) {
                if (stristr($key, $excludeFromIDS[$i])) {
                    $exclude = true;
                }
                //echo "$key = $untrustedValue <br>";
            }
            if (!$exclude) {
                if (is_array($untrustedValue)) {
                    $trustedValue[$key] = securityIDS($array[$key]);
                } else {
                    $attackType = "Unknown Web Attack";
                    $attack = 0;
                    if (eregi("<[^>]*script*\"?[^>]*>", $untrustedValue) || eregi("<[^>]*xml*\"?[^>]*>", $untrustedValue) || eregi("<[^>]*style*\"?[^>]*>", $untrustedValue) || eregi("<[^>]*form*\"?[^>]*>", $untrustedValue) || eregi("<[^>]*window.*\"?[^>]*>", $untrustedValue) || eregi("<[^>]*alert*\"?[^>]*>", $untrustedValue) || eregi("<[^>]*img*\"?[^>]*>", $untrustedValue) || eregi("<[^>]*document.*\"?[^>]*>", $untrustedValue) || eregi("<[^>]*cookie*\"?[^>]*>", $untrustedValue) || eregi(".*[[:space:]](or|and)[[:space:]].*(=|like).*", $untrustedValue) || eregi("<[^>]*object*\"?[^>]*>", $untrustedValue) || eregi("<[^>]*iframe*\"?[^>]*>", $untrustedValue) || eregi("<[^>]*applet*\"?[^>]*>", $untrustedValue) || eregi("<[^>]*meta*\"?[^>]*>", $untrustedValue)) {
                        $attack = 1;
                        $attackType = "Potential Cross-Site-Scripting Attack";
                    }
                    if (preg_match("/;/", $untrustedValue) || preg_match("/'/", $untrustedValue)) {
                        $attack = 1;
                        $attackType = "Potential SQL Injection Attack";
                    }
                    if ($attack == 1) {
                        if (!get_magic_quotes_runtime()) {
                            $trustedValue[$key] = htmlspecialchars($untrustedValue, ENT_QUOTES);
                        }
                    } else {
                        $trustedValue[$key] = $untrustedValue;
                    }
                }
            } else {
                $trustedValue[$key] = $untrustedValue;
            }
        }
    }
    return $trustedValue;
}
Esempio n. 2
0
	$excludeFromIDS = array (
		"pgn_text_CONTENT",
		"pgn_cal_appointment_DESCRIPTION",
		"htxt_",
		"phpedit"
	);

	// running intrusion detection
	if (is_array($_GET))
		$_GET = securityIDS($_GET);

	if (is_array($_POST))
		$_POST = securityIDS($_POST);

	if (is_array($_COOKIE))
		$_COOKIE = securityIDS($_COOKIE);

	//if (is_array($_SERVER)) $_SERVER = securityIDS($_SERVER); 
	//if (is_array($_ENV)) $_SERVER = securityIDS($_ENV); 

		
	// setting version
	$nx_version = "4.5.0.220";
	// Global variables
	// database related
	$recordsets = null;
	$insertstatements = null;
	$updatestatements = null;
	$deletestatements = null;
	$rawstatements = null;
	$oids = null;