/** * Protects against basic attempts of Cross-Site Scripting (XSS). * * @see http://technicalinfo.net/papers/CSS.html * * @return void * * @throws \Exception Thrown if there was a problem running ids detection */ public function idsInputFilter(Zikula_Event $event) { if ($event['stage'] & Zikula_Core::STAGE_MODS && System::getVar('useids') == 1) { // Run IDS if desired try { $request = array(); // build request array defining what to scan // @todo: change the order of the arrays to merge if ini_get('variables_order') != 'EGPCS' if (isset($_REQUEST)) { $request['REQUEST'] = $_REQUEST; } if (isset($_GET)) { $request['GET'] = $_GET; } if (isset($_POST)) { $request['POST'] = $_POST; } if (isset($_COOKIE)) { $request['COOKIE'] = $_COOKIE; } if (isset($_SERVER['HTTP_HOST'])) { $request['HOST'] = $_SERVER['HTTP_HOST']; } if (isset($_SERVER['HTTP_ACCEPT'])) { $request['ACCEPT'] = $_SERVER['HTTP_ACCEPT']; } if (isset($_SERVER['USER_AGENT'])) { $request['USER_AGENT'] = $_SERVER['USER_AGENT']; } // while i think that REQUEST_URI is unnecessary, // the REFERER would be important, but results in way too many false positives /* if (isset($_SERVER['REQUEST_URI'])) { $request['REQUEST_URI'] = $_SERVER['REQUEST_URI']; } if (isset($_SERVER['HTTP_REFERER'])) { $request['REFERER'] = $_SERVER['HTTP_REFERER']; } */ // initialise configuration object $init = \IDS\Init::init(); // set configuration options $init->config = $this->_getidsconfig(); // create new IDS instance $ids = new \IDS\Monitor($init); // run the request check and fetch the results $result = $ids->run($request); // analyze the results if (!$result->isEmpty()) { // process the \IDS\Report object $this->_processIdsResult($init, $result); } else { // no attack detected } } catch (\Exception $e) { // sth went wrong - maybe the filter rules weren't found throw new \Exception(__f('An error occured during executing PHPIDS: %s', $e->getMessage())); } } }
public function start() { global $app, $conf; $security_config = $app->getconf->get_security_config('ids'); set_include_path(get_include_path() . PATH_SEPARATOR . ISPC_CLASS_PATH . '/'); require_once ISPC_CLASS_PATH . '/IDS/Init.php'; require_once ISPC_CLASS_PATH . '/IDS/Monitor.php'; require_once ISPC_CLASS_PATH . '/IDS/Filter.php'; require_once ISPC_CLASS_PATH . '/IDS/Filter/Storage.php'; require_once ISPC_CLASS_PATH . '/IDS/Report.php'; require_once ISPC_CLASS_PATH . '/IDS/Event.php'; require_once ISPC_CLASS_PATH . '/IDS/Converter.php'; $ids_request = array('GET' => $_GET, 'POST' => $_POST, 'COOKIE' => $_COOKIE); $ids_init = IDS\Init::init(ISPC_CLASS_PATH . '/IDS/Config/Config.ini.php'); $ids_init->config['General']['base_path'] = ISPC_CLASS_PATH . '/IDS/'; $ids_init->config['General']['tmp_path'] = '../../../temp'; $ids_init->config['General']['use_base_path'] = true; $ids_init->config['Caching']['caching'] = 'none'; $ids_init->config['Logging']['path'] = '../../../temp/ids.log'; $current_script_name = trim($_SERVER['SCRIPT_NAME']); // Get whitelist $whitelist_path = '/usr/local/ispconfig/security/ids.whitelist'; if (is_file('/usr/local/ispconfig/security/ids.whitelist.custom')) { $whitelist_path = '/usr/local/ispconfig/security/ids.whitelist.custom'; } if (!is_file($whitelist_path)) { $whitelist_path = realpath(ISPC_ROOT_PATH . '/../security/ids.whitelist'); } $whitelist_lines = file($whitelist_path); if (is_array($whitelist_lines)) { foreach ($whitelist_lines as $line) { $line = trim($line); if (substr($line, 0, 1) != '#') { list($user, $path, $varname) = explode(':', $line); if ($current_script_name == $path) { if ($user = '******' || $user == 'user' && ($_SESSION['s']['user']['typ'] == 'user' || $_SESSION['s']['user']['typ'] == 'admin') || $user == 'admin' && $_SESSION['s']['user']['typ'] == 'admin') { $ids_init->config['General']['exceptions'][] = $varname; } } } } } // Get HTML fields $htmlfield_path = '/usr/local/ispconfig/security/ids.htmlfield'; if (is_file('/usr/local/ispconfig/security/ids.htmlfield.custom')) { $htmlfield_path = '/usr/local/ispconfig/security/ids.htmlfield.custom'; } if (!is_file($htmlfield_path)) { $htmlfield_path = realpath(ISPC_ROOT_PATH . '/../security/ids.htmlfield'); } $htmlfield_lines = file($htmlfield_path); if (is_array($htmlfield_lines)) { foreach ($htmlfield_lines as $line) { $line = trim($line); if (substr($line, 0, 1) != '#') { list($user, $path, $varname) = explode(':', $line); if ($current_script_name == $path) { if ($user = '******' || $user == 'user' && ($_SESSION['s']['user']['typ'] == 'user' || $_SESSION['s']['user']['typ'] == 'admin') || $user == 'admin' && $_SESSION['s']['user']['typ'] == 'admin') { $ids_init->config['General']['html'][] = $varname; } } } } } $ids = new IDS\Monitor($ids_init); $ids_result = $ids->run($ids_request); if (!$ids_result->isEmpty()) { $impact = $ids_result->getImpact(); if ($impact >= $security_config['ids_log_level']) { $ids_log = ISPC_ROOT_PATH . '/temp/ids.log'; if (!is_file($ids_log)) { touch($ids_log); } $user = isset($_SESSION['s']['user']['typ']) ? $_SESSION['s']['user']['typ'] : 'any'; $log_lines = ''; foreach ($ids_result->getEvents() as $event) { $log_lines .= $user . ':' . $current_script_name . ':' . $event->getName() . "\n"; } file_put_contents($ids_log, $log_lines, FILE_APPEND); } if ($impact >= $security_config['ids_warn_level']) { $app->log("PHP IDS Alert." . $ids_result, 2); } if ($impact >= $security_config['ids_block_level']) { $app->error("Possible attack detected. This action has been logged.", '', true, 2); } } }
/* |-------------------------------------------------------------------------- | Application & Route Filters |-------------------------------------------------------------------------- | | Below you will find the "before" and "after" events for the application | which may be used to do any work before or after a request into your | application. Here you may also register your custom route filters. | */ App::before(function ($request) { $fullRequest = array('REQUEST' => $_REQUEST, 'GET' => $_GET, 'POST' => $_POST, 'COOKIE' => $_COOKIE); $init = IDS\Init::init(app_path() . '/config/ids/config.ini'); $ids = new IDS\Monitor($init); $result = $ids->run($fullRequest); if (!$result->isEmpty()) { foreach ($result as $event) { Event::fire('security.intrusion', array($event)); } } }); App::after(function ($request, $response) { // }); /* |-------------------------------------------------------------------------- | Authentication Filters |-------------------------------------------------------------------------- | | The following filters are used to verify that the user of the current