celextel Posted November 18, 2010 Author Share Posted November 18, 2010 (edited) Hi, I have installed the PHPIDS version 1.6, when I have finished installation and can't entry in my website. It display the next message: " This page is not redirecting properly Firefox has detected that the server is redirecting the request to this address in a way that will never end. This problem is sometimes caused by disabling or refusing the receipt of cookies. " When I set to False the option 'PHPIDS Module' I work fine. That is, that I can go to my website. Why? Thanks!! Rafa Alepuz PHPIDS dies not do any redirection. Perhaps your server is not configured properly for executing certain requests of PHPIDS. Enable error reporting in your index file and see as to what error message you are getting. [refer to our earlier post] Edited November 18, 2010 by celextel RafaAlepuz 1 Quote Link to comment Share on other sites More sharing options...
RafaAlepuz Posted November 18, 2010 Share Posted November 18, 2010 (edited) How do I enable error reporting? In Firebug I do not get any error. You can test, now. My website is http://www.quanamcosmetics.com The PHPIDS Module is enabled. Thanks! Edited November 18, 2010 by RafaAlepuz Quote Link to comment Share on other sites More sharing options...
RafaAlepuz Posted November 18, 2010 Share Posted November 18, 2010 How do I enable error reporting? In Firebug I do not get any error. You can test, now. My website is http://www.quanamcosmetics.com The PHPIDS Module is enabled. Thanks! Solved. Documentation in the step D: Catalog( D:\Rafa\Webs\quanam\oscommerce\contribuciones\SEGURIDAD\PHPIDS_for_osCommerce_1_6\PHPIDS_for_osCommerce_1_6\Read_Me.htm ) there is an error. At the point 2, missing closing parenthesis while. Bye! :) Quote Link to comment Share on other sites More sharing options...
jim21 Posted November 22, 2010 Share Posted November 22, 2010 Is there a way to change the notification email address? Our set up has one manager for store/inventory info and another for admin/database functions. Thanks Quote Link to comment Share on other sites More sharing options...
celextel Posted November 22, 2010 Author Share Posted November 22, 2010 Is there a way to change the notification email address? Our set up has one manager for store/inventory info and another for admin/database functions. Thanks Find the following code in includes/modules/banned_ip.php file: $mail_recipient = array(STORE_OWNER_EMAIL_ADDRESS, SEND_EXTRA_ORDER_EMAILS_TO); You could modify this code either as: $mail_recipient = STORE_OWNER_EMAIL_ADDRESS; or as: $mail_recipient = SEND_EXTRA_ORDER_EMAILS_TO; as required by you. Quote Link to comment Share on other sites More sharing options...
jim21 Posted November 23, 2010 Share Posted November 23, 2010 Find the following code in includes/modules/banned_ip.php file: $mail_recipient = array(STORE_OWNER_EMAIL_ADDRESS, SEND_EXTRA_ORDER_EMAILS_TO); You could modify this code either as: $mail_recipient = STORE_OWNER_EMAIL_ADDRESS; or as: $mail_recipient = SEND_EXTRA_ORDER_EMAILS_TO; as required by you. I could not find the code you specified in the banned_ip.php file, but did see it in the osc_phpids.php file. I made the changes to that file and all works as expected. Thanks for your time and information. Quote Link to comment Share on other sites More sharing options...
celextel Posted November 23, 2010 Author Share Posted November 23, 2010 I could not find the code you specified in the banned_ip.php file, but did see it in the osc_phpids.php file. I made the changes to that file and all works as expected. Thanks for your time and information. Sorry, we meant osc_phpids.php file. By mistake we had mentioned as banned_ip.php. Thanks. Quote Link to comment Share on other sites More sharing options...
Guest Posted November 25, 2010 Share Posted November 25, 2010 Seems we have it installed fine but when we test with: ?id=1&test=">XXX we get the proper result at the top of the page but when we test with: ?test="><script>eval(window.name)</script> we get nothing at all at the top of the page (otherwise page looks normal and unchanged) This is in chrome and firefox, in internet explorer we get the correct result on the first and on the second we get "modified page to prevent cross scripting attacks" Could you please tell us why this second test in your instructions is not getting the said results?, thank you Quote Link to comment Share on other sites More sharing options...
celextel Posted November 26, 2010 Author Share Posted November 26, 2010 Seems we have it installed fine but when we test with: ?id=1&test=">XXX we get the proper result at the top of the page but when we test with: ?test="><script>eval(window.name)</script> we get nothing at all at the top of the page (otherwise page looks normal and unchanged) This is in chrome and firefox, in internet explorer we get the correct result on the first and on the second we get "modified page to prevent cross scripting attacks" Could you please tell us why this second test in your instructions is not getting the said results?, thank you Enable error reporting in your index file and see as to what error message you are getting. If you get the following error message: Exception: PDOException: could not find driver Then PDO driver file is missing in the configuration. You have to request the web hosting provider to enable this. Info regarding this are at the following URL: http://forum.php-ids.org/comments.php?DiscussionID=284 http://dev.mysql.com/tech-resources/articles/mysql-pdo.html Quote Link to comment Share on other sites More sharing options...
mariano_quilmes Posted December 6, 2010 Share Posted December 6, 2010 Hello I would like to know if this addon is compatible with oscommerce v 2.2 RC1. Thanks in advance. Mariano. Quote Link to comment Share on other sites More sharing options...
celextel Posted December 7, 2010 Author Share Posted December 7, 2010 Hello I would like to know if this addon is compatible with oscommerce v 2.2 RC1. Thanks in advance. Mariano. Yes, this is compatible with oscommerce v 2.2 RC1. Quote Link to comment Share on other sites More sharing options...
joylounge Posted December 7, 2010 Share Posted December 7, 2010 Can you shed some light on this please. I have installed and everything is running fine. If i try an attack the site I get redirected to the banned page and my IP is logged and blocked. For some reason when I see people hit the banned page in the log their IP is never blocked. For example you can see this person browsing the toys section then they get redirected to the banned page. Their IP is not in the banned log 82.68.80.163 12 2010-12-04 21:13:20 REQUEST.CoreM_State 62~-1~-1~-1~-1~3~3~5~3~3~7~7~|~826AE09E~|~~|~~|~0|||||| /catalog/toys/ 82.68.80.163 7 2010-12-04 21:13:20 REQUEST.s_sess s_cc=true; s_refresh=NGXO%3ARYP; s_sq=paypalglobal%3D%2526pid%253DNGXO%25253ARYP%2526pidt%253D1%2526oid%253DContinue%2526oidt%253D3%2526ot%253DSUBMIT; /catalog/toys 82.68.80.163 12 2010-12-04 21:13:20 COOKIE.CoreM_State 62~-1~-1~-1~-1~3~3~5~3~3~7~7~|~826AE09E~|~~|~~|~0|||||| /catalog/toys/ 82.68.80.163 7 2010-12-04 21:13:20 COOKIE.s_sess s_cc=true; s_refresh=NGXO%3ARYP; s_sq=paypalglobal%3D%2526pid%253DNGXO%25253ARYP%2526pidt%253D1%2526oid%253DContinue%2526oidt%253D3%2526ot%253DSUBMIT; /catalog/toys/ 82.68.80.163 5 2010-12-04 21:13:50 REQUEST.s_pers s_favsn_paypalglobal_1=2782966209980|1587930315487; gpv_pn=www.dell.co.uk/|1285416012293; /catalog/banned.php 82.68.80.163 12 2010-12-04 21:13:50 REQUEST.CoreM_State 62~-1~-1~-1~-1~3~3~5~3~3~7~7~|~826AE09E~|~~|~~|~0|||||| /catalog/banned.php 82.68.80.163 7 2010-12-04 21:13:50 REQUEST.s_sess s_cc=true; s_refresh=NGXO%3ARYP; s_sq=paypalglobal%3D%2526pid%253DNGXO%25253ARYP%2526pidt%253D1%2526oid%253DContinue%2526oidt%253D3%2526ot%253DSUBMIT; /catalog/banned.php 82.68.80.163 12 2010-12-04 21:13:50 COOKIE.CoreM_State 62~-1~-1~-1~-1~3~3~5~3~3~7~7~|~826AE09E~|~~|~~|~0|||||| /catalog/banned.php 82.68.80.163 7 2010-12-04 21:13:50 COOKIE.s_sess s_cc=true; s_refresh=NGXO%3ARYP; s_sq=paypalglobal%3D%2526pid%253DNGXO%25253ARYP%2526pidt%253D1%2526oid%253DContinue%2526oidt%253D3%2526ot%253DSUBMIT; /catalog/banned.php 82.68.80.163 5 2010-12-04 21:13:50 REQUEST.s_pers s_favsn_paypalglobal_1=2782966209980|1587930315487; gpv_pn=www.dell.co.uk/|1285416012293; /catalog/banned.php 82.68.80.163 12 2010-12-04 21:13:50 REQUEST.CoreM_State 62~-1~-1~-1~-1~3~3~5~3~3~7~7~|~826AE09E~|~~|~~|~0|||||| /catalog/banned.php Are they side stepping the IP block somehow. Thanks Gary Quote Link to comment Share on other sites More sharing options...
celextel Posted December 7, 2010 Author Share Posted December 7, 2010 Can you shed some light on this please. I have installed and everything is running fine. If i try an attack the site I get redirected to the banned page and my IP is logged and blocked. For some reason when I see people hit the banned page in the log their IP is never blocked. For example you can see this person browsing the toys section then they get redirected to the banned page. Their IP is not in the banned log Are they side stepping the IP block somehow. Thanks Gary We have also noticed this. Some IPs are not logged under banned IPs. We do not know the reason for this. We could ban them by entering those IPs. Quote Link to comment Share on other sites More sharing options...
joylounge Posted December 8, 2010 Share Posted December 8, 2010 We have also noticed this. Some IPs are not logged under banned IPs. We do not know the reason for this. We could ban them by entering those IPs. Do you think it could be down to trying to grab the IP by using the Oscommerce tep_get_ip_address() function. If its an automated script or something clever to try and hide who they are do you think something simpler like this may be better at catching the IP $ip_2ban_address = $_SERVER['REMOTE_ADDR']; Cheers Gary Quote Link to comment Share on other sites More sharing options...
jfkafka Posted December 8, 2010 Share Posted December 8, 2010 Hi Celextel, Hope all is excellent with you and Thank You for the high quality approach to this aspect of website protection. using localhost, xxamp, php5.3, PHPIDS v1.6 and phpids-0.6.5 prior to installing PHPIDS v1.6 was using IP trap and XSS shield as well as Security Pro which was moved as per the instructions have removed IP trap code from Catalog/includes/application_top.php and commented out XSS shield code in .htaccess with installation completed the results of test 1 (http://www.localdev.com/public_html/?id=1&test=%22%3EXXX) Total impact: 94 Affected tags: xss, csrf, id, rfe, lfi, sqli Variable: REQUEST.test | Value: ">XXX Impact: 4 | Tags: xss, csrf Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1 Variable: REQUEST.cart | Value: a:1:{i:13;a:1:{s:3:"qty";i:1;}} Impact: 12 | Tags: xss, csrf, id, rfe, lfi Description: Detects self-executing JavaScript functions | Tags: xss, csrf | ID: 8 Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID: 67 Variable: REQUEST.wish | Value: a:1:{s:9:"1{4}2{3}5";a:2:{i:0;s:9:"1{4}2{3}5";s:10:"attributes";a:2:{i:4;s:1:"2";i:3;s:1:"5";}}} Impact: 18 | Tags: xss, csrf, sqli, id, lfi, rfe Description: Detects self-executing JavaScript functions | Tags: xss, csrf | ID: 8 Description: Detects classic SQL injection probings 2/2 | Tags: sqli, id, lfi | ID: 43 Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID: 67 Variable: GET.test | Value: \">XXX Impact: 4 | Tags: xss, csrf Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1 Variable: COOKIE.cart | Value: a:1:{i:13;a:1:{s:3:\"qty\";i:1;}} Impact: 25 | Tags: xss, csrf, sqli, id, lfi, rfe Description: Detects self-executing JavaScript functions | Tags: xss, csrf | ID: 8 Description: Detects classic SQL injection probings 1/2 | Tags: sqli, id, lfi | ID: 42 Description: Detects basic SQL authentication bypass attempts 3/3 | Tags: sqli, id, lfi | ID: 46 Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID: 67 Variable: COOKIE.wish | Value: a:1:{s:9:\"1{4}2{3}5\";a:2:{i:0;s:9:\"1{4}2{3}5\";s:10:\"attributes\";a:2:{i:4;s:1:\"2\";i:3;s:1:\"5\";}}} Impact: 31 | Tags: xss, csrf, sqli, id, lfi, rfe Description: Detects self-executing JavaScript functions | Tags: xss, csrf | ID: 8 Description: Detects classic SQL injection probings 1/2 | Tags: sqli, id, lfi | ID: 42 Description: Detects classic SQL injection probings 2/2 | Tags: sqli, id, lfi | ID: 43 Description: Detects basic SQL authentication bypass attempts 3/3 | Tags: sqli, id, lfi | ID: 46 Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID: 67 Centrifuge detection data Threshold: 3.49 Ratio: 2.2708333333333 upon setting admin/configuration - Show Intrusion Result to False (http://www.localdev.com/public_html/index.php) Result: The page isn't redirecting properly Firefox has detected that the server is redirecting the request for this address in a way that will never complete. * This problem can sometimes be caused by disabling or refusing to accept cookies. for what's it's worth I have found that by removing catalog/includes/modules/banned_ip.php (yes I know it defeats the purpose but troubleshooting to isolate the point where it goes belly up) it redirects to (http://www.localdev.com/public_html/banned.php) Page Display: Banned Your IP Address, 127.0.0.1 has been reported for site violations. If you feel you have reached this page in error, please Contact Us and provide your IP Address. ------ end of page display ------------ Does any of this suggest a cause and solution? Thanks for any helpful feedback, jk Quote Link to comment Share on other sites More sharing options...
celextel Posted December 9, 2010 Author Share Posted December 9, 2010 Do you think it could be down to trying to grab the IP by using the Oscommerce tep_get_ip_address() function. If its an automated script or something clever to try and hide who they are do you think something simpler like this may be better at catching the IP $ip_2ban_address = $_SERVER['REMOTE_ADDR']; Cheers Gary We have not done much modification to banned.php as that contribution is of someone else. Your following suggestion seems to be a better option: $ip_2ban_address = $_SERVER['REMOTE_ADDR']; in lieu of $ip_2ban_address = tep_get_ip_address(); We would also use this modified code in our websites. Hope this solves that issue. Thanks for your suggestion. Quote Link to comment Share on other sites More sharing options...
celextel Posted December 9, 2010 Author Share Posted December 9, 2010 Hi Celextel, Hope all is excellent with you and Thank You for the high quality approach to this aspect of website protection. using localhost, xxamp, php5.3, PHPIDS v1.6 and phpids-0.6.5 prior to installing PHPIDS v1.6 was using IP trap and XSS shield as well as Security Pro which was moved as per the instructions have removed IP trap code from Catalog/includes/application_top.php and commented out XSS shield code in .htaccess with installation completed the results of test 1 (http://www.localdev.com/public_html/?id=1&test=%22%3EXXX) Total impact: 94 Affected tags: xss, csrf, id, rfe, lfi, sqli Variable: REQUEST.test | Value: ">XXX Impact: 4 | Tags: xss, csrf Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1 Variable: REQUEST.cart | Value: a:1:{i:13;a:1:{s:3:"qty";i:1;}} Impact: 12 | Tags: xss, csrf, id, rfe, lfi Description: Detects self-executing JavaScript functions | Tags: xss, csrf | ID: 8 Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID: 67 Variable: REQUEST.wish | Value: a:1:{s:9:"1{4}2{3}5";a:2:{i:0;s:9:"1{4}2{3}5";s:10:"attributes";a:2:{i:4;s:1:"2";i:3;s:1:"5";}}} Impact: 18 | Tags: xss, csrf, sqli, id, lfi, rfe Description: Detects self-executing JavaScript functions | Tags: xss, csrf | ID: 8 Description: Detects classic SQL injection probings 2/2 | Tags: sqli, id, lfi | ID: 43 Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID: 67 Variable: GET.test | Value: \">XXX Impact: 4 | Tags: xss, csrf Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1 Variable: COOKIE.cart | Value: a:1:{i:13;a:1:{s:3:\"qty\";i:1;}} Impact: 25 | Tags: xss, csrf, sqli, id, lfi, rfe Description: Detects self-executing JavaScript functions | Tags: xss, csrf | ID: 8 Description: Detects classic SQL injection probings 1/2 | Tags: sqli, id, lfi | ID: 42 Description: Detects basic SQL authentication bypass attempts 3/3 | Tags: sqli, id, lfi | ID: 46 Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID: 67 Variable: COOKIE.wish | Value: a:1:{s:9:\"1{4}2{3}5\";a:2:{i:0;s:9:\"1{4}2{3}5\";s:10:\"attributes\";a:2:{i:4;s:1:\"2\";i:3;s:1:\"5\";}}} Impact: 31 | Tags: xss, csrf, sqli, id, lfi, rfe Description: Detects self-executing JavaScript functions | Tags: xss, csrf | ID: 8 Description: Detects classic SQL injection probings 1/2 | Tags: sqli, id, lfi | ID: 42 Description: Detects classic SQL injection probings 2/2 | Tags: sqli, id, lfi | ID: 43 Description: Detects basic SQL authentication bypass attempts 3/3 | Tags: sqli, id, lfi | ID: 46 Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID: 67 Centrifuge detection data Threshold: 3.49 Ratio: 2.2708333333333 upon setting admin/configuration - Show Intrusion Result to False (http://www.localdev.com/public_html/index.php) Result: The page isn't redirecting properly Firefox has detected that the server is redirecting the request for this address in a way that will never complete. * This problem can sometimes be caused by disabling or refusing to accept cookies. for what's it's worth I have found that by removing catalog/includes/modules/banned_ip.php (yes I know it defeats the purpose but troubleshooting to isolate the point where it goes belly up) it redirects to (http://www.localdev.com/public_html/banned.php) Page Display: Banned Your IP Address, 127.0.0.1 has been reported for site violations. If you feel you have reached this page in error, please Contact Us and provide your IP Address. ------ end of page display ------------ Does any of this suggest a cause and solution? Thanks for any helpful feedback, jk We have not tested this in the localhost. Please test this in a web server where you have your osCommerce. Test-1 result shown by you is different from the one shown by us. Try without public_html/ in the URL. We do not see the REQUEST.cart, REQUEST.wish, COOKIE.cart and COOKIE.wish values in our tests. Quote Link to comment Share on other sites More sharing options...
jfkafka Posted December 10, 2010 Share Posted December 10, 2010 We have not tested this in the localhost. Please test this in a web server where you have your osCommerce. Test-1 result shown by you is different from the one shown by us. Try without public_html/ in the URL. We do not see the REQUEST.cart, REQUEST.wish, COOKIE.cart and COOKIE.wish values in our tests. Hi Celextel, Thanks for your response. REQUEST.cart and REQUEST.wish are likely part of 2 contributions, 5368 Request Product Info V 1.2 and 1682 Wishlist v5. Results of tests on hosted site: 1. http://www.jkafka.com/?id=1&test=%22%3EXXX (after removing items from cart and wishlist) Page displays this code at top with the homepage below: Total impact: 32 Affected tags: xss, csrf, id, rfe, lfi Variable: REQUEST.test | Value: \">XXX Impact: 4 | Tags: xss, csrf Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1 Variable: REQUEST.cart | Value: a:1:{i:27;a:1:{s:3:\"qty\";i:1;}} Impact: 12 | Tags: xss, csrf, id, rfe, lfi Description: Detects self-executing JavaScript functions | Tags: xss, csrf | ID: 8 Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID: 67 Variable: GET.test | Value: \">XXX Impact: 4 | Tags: xss, csrf Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1 Variable: COOKIE.cart | Value: a:1:{i:27;a:1:{s:3:\"qty\";i:1;}} Impact: 12 | Tags: xss, csrf, id, rfe, lfi Description: Detects self-executing JavaScript functions | Tags: xss, csrf | ID: 8 Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID: 67 Centrifuge detection data Threshold: 3.49 Ratio: 3.1428571428571 ================================================= 2. http://www.jkafka.com/faq.php Page displays this code at top with the faq page below: Total impact: 24 Affected tags: xss, csrf, id, rfe, lfi Variable: REQUEST.cart | Value: a:1:{i:27;a:1:{s:3:\"qty\";i:1;}} Impact: 12 | Tags: xss, csrf, id, rfe, lfi Description: Detects self-executing JavaScript functions | Tags: xss, csrf | ID: 8 Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID: 67 Variable: COOKIE.cart | Value: a:1:{i:27;a:1:{s:3:\"qty\";i:1;}} Impact: 12 | Tags: xss, csrf, id, rfe, lfi Description: Detects self-executing JavaScript functions | Tags: xss, csrf | ID: 8 Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID: 67 Centrifuge detection data Threshold: 3.49 Ratio: 3.1428571428571 =========================================== 3. http://www.jkafka.com/product_info.php?cPath=13&products_id=8 Page displays this code ON LEFT but NO Product Info Page Total impact: 24 Affected tags: xss, csrf, id, rfe, lfi Variable: REQUEST.cart | Value: a:1:{i:27;a:1:{s:3:\"qty\";i:1;}} Impact: 12 | Tags: xss, csrf, id, rfe, lfi Description: Detects self-executing JavaScript functions | Tags: xss, csrf | ID: 8 Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID: 67 Variable: COOKIE.cart | Value: a:1:{i:27;a:1:{s:3:\"qty\";i:1;}} Impact: 12 | Tags: xss, csrf, id, rfe, lfi Description: Detects self-executing JavaScript functions | Tags: xss, csrf | ID: 8 Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID: 67 Centrifuge detection data Threshold: 3.49 Ratio: 3.1428571428571 ========================================== 4. http://www.jkafka.com/hewlett-packard-laserjet-1100xi-p-27.html Page displays this code at top with the product info page below: Total impact: 24 Affected tags: xss, csrf, id, rfe, lfi Variable: REQUEST.cart | Value: a:1:{i:27;a:1:{s:3:\"qty\";i:1;}} Impact: 12 | Tags: xss, csrf, id, rfe, lfi Description: Detects self-executing JavaScript functions | Tags: xss, csrf | ID: 8 Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID: 67 Variable: COOKIE.cart | Value: a:1:{i:27;a:1:{s:3:\"qty\";i:1;}} Impact: 12 | Tags: xss, csrf, id, rfe, lfi Description: Detects self-executing JavaScript functions | Tags: xss, csrf | ID: 8 Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID: 67 Centrifuge detection data Threshold: 3.49 Ratio: 3.1428571428571 ===================================== With Show Intrusion Result false Pages display EXCEPT when clicking on products in categories menu like http://www.jkafka.com/product_info.php?cPath=13&products_id=8 which displays a blank page However clicking on a product image http://www.jkafka.com/youve-got-mail-p-7.html DOES produce the product info page Lastly trying to add a product to the cart: http://www.jkafka.com/youve-got-mail-p-7.html?action=add_product produces a blank page Hope this provides enough info to identify the snafu. Thank you for your patience and expertise. jk Quote Link to comment Share on other sites More sharing options...
celextel Posted December 10, 2010 Author Share Posted December 10, 2010 Hi Celextel, Thanks for your response. REQUEST.cart and REQUEST.wish are likely part of 2 contributions, 5368 Request Product Info V 1.2 and 1682 Wishlist v5. Add the following values under exclusions and then do the tests again: REQUEST.cart REQUEST.wish COOKIE.cart COOKIE.wish To find out as to why you are getting a blank page, enable error reporting in those files [index file or so] and see as to what error message you are getting. Quote Link to comment Share on other sites More sharing options...
jfkafka Posted December 10, 2010 Share Posted December 10, 2010 Add the following values under exclusions and then do the tests again: REQUEST.cart REQUEST.wish COOKIE.cart COOKIE.wish To find out as to why you are getting a blank page, enable error reporting in those files [index file or so] and see as to what error message you are getting. Hi, Thanks for replying. Ok, tried adding those to exclusions yesterday with localhost just to let you know I went through the instructions Anyway here are the exclusions on hosted site admin in case something is missing or in an improper order REQUEST.__utmz, COOKIE.__utmz, REQUEST.custom, POST.custom, REQUEST.osCsid, COOKIE.osCsid, REQUEST.verify_sign, POST.verify_sign, REQUEST.s_pers, COOKIE.s_pers, REQUEST.enquiry, POST.enquiry, REQUEST.cart, REQUEST.wish, COOKIE.cart, COOKIE.wish added this to index.php: // DEBUGGING error_reporting(E_ALL); // DEBUGGING echo '<pre>'; // DEBUGGING print_r($_REQUEST); // DEBUGGING echo '</pre>'; ini_set('display_errors',1); Test 1 Result on home page: Array ( [id] => 1 [test] => \">XXX [cookie_test] => ThankYou [osCsid] => a long string [osC_AutoCookieLogin] => a long string [wish] => a:0:{} ) Total impact: 8 Affected tags: xss, csrf Variable: REQUEST.test | Value: \">XXX Impact: 4 | Tags: xss, csrf Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1 Variable: GET.test | Value: \">XXX Impact: 4 | Tags: xss, csrf Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1 Home page underneath =============================== Test 1 with faq.php Total impact: 8 Affected tags: xss, csrf Variable: REQUEST.test | Value: \">XXX Impact: 4 | Tags: xss, csrf Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1 Variable: GET.test | Value: \">XXX Impact: 4 | Tags: xss, csrf Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1 FAQ Page underneath ================================== Test 1 with click on category menu - Hardware Array ( [cPath] => 1 [id] => 1 [test] => \">XXX [cookie_test] => ThankYou [osCsid] => a long string [osC_AutoCookieLogin] => a long string [wish] => a:0:{} ) Total impact: 8 Affected tags: xss, csrf Variable: REQUEST.test | Value: \">XXX Impact: 4 | Tags: xss, csrf Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1 Variable: GET.test | Value: \">XXX Impact: 4 | Tags: xss, csrf Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1 =============================== Finally just clicking on a product in the category menu Blank page in this case the URL ends with product_info.php?cPath=10&products_id=9 I wonder if its related to this line the htaccess RewriteRule ^(.*)-p-([0-9]+).html$ product_info.php?products_id=$2&%{QUERY_STRING} Thanks again for your suggestions jk Quote Link to comment Share on other sites More sharing options...
celextel Posted December 10, 2010 Author Share Posted December 10, 2010 Hi, Thanks for replying. Ok, tried adding those to exclusions yesterday with localhost just to let you know I went through the instructions I wonder if its related to this line the htaccess RewriteRule ^(.*)-p-([0-9]+).html$ product_info.php?products_id=$2&%{QUERY_STRING} Thanks again for your suggestions jk Exclusions are in order. You could change the following code: RewriteRule ^(.*)-p-([0-9]+).html$ product_info.php?products_id=$2&%{QUERY_STRING} to RewriteRule ^(.*)-p-(.*).html$ product_info.php?products_id=$2&%{QUERY_STRING} and then try. If you still have problem, you have to enable error reporting in product_info.php and then find out as to what is wrong. Remove error reporting codes after checking. Quote Link to comment Share on other sites More sharing options...
jfkafka Posted December 10, 2010 Share Posted December 10, 2010 additional testing trying to add to cart URL ends with dvd-movies-action-c-3_10.html?action=add_product&sort=3a&test=XXX&id=1 Result: Array ( [cPath] => 3_10 [action] => add_product [sort] => 3a [test] => XXX [id] => 1 [cart_quantity] => 1 [products_id] => 11 [x] => 46 [y] => 12 [cookie_test] => ThankYou [osCsid] => long string [osC_AutoCookieLogin] => long string [wish] => a:0:{} ) Nothing else on Page besides that product not added to cart using rc2a if that is relevant when clicking on a product image URL ending with /fire-down-below-p-11.html?id=1&test=">XXX Result: Total impact: 8 Affected tags: xss, csrf Variable: REQUEST.test | Value: \">XXX Impact: 4 | Tags: xss, csrf Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1 Variable: GET.test | Value: \">XXX Impact: 4 | Tags: xss, csrf Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1 Product Info Displays below seems like the only times not working are when URL ends in: 1. /product_info.php?cPath=13&products_id=8 (any number for cPath and products_id) 2. /fire-down-below-p-11.html?action=add_product (any product not just that one) hope this will at least narrow it down jk Quote Link to comment Share on other sites More sharing options...
jfkafka Posted December 10, 2010 Share Posted December 10, 2010 seems it was adding to cart, sorry I needed to refresh after hitting the back button from the page that only displayed the array info changing the htaccess line had no effect, thanks for trying will continue to test jk Quote Link to comment Share on other sites More sharing options...
jfkafka Posted December 10, 2010 Share Posted December 10, 2010 more info... URL ending in: product_info.php?cPath=12&products_id=7&id=1&test=">XXX Result: (white page) Total impact: 8 Affected tags: xss, csrf Variable: REQUEST.test | Value: \">XXX Impact: 4 | Tags: xss, csrf Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1 Variable: GET.test | Value: \">XXX Impact: 4 | Tags: xss, csrf Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1 the reason the page is otherwise blank is because it doesn't return to product_info.php after the require application_top.php; otherwise it would have printed out this debugging array // DEBUGGING error_reporting(E_ALL); // DEBUGGING echo '<pre>'; // DEBUGGING print_r($_REQUEST); // DEBUGGING echo '</pre>'; ini_set('display_errors',1); which was immediately after the require prior to moving it below the require the debugging array was above it and displayed: Array ( [cPath] => 12 [products_id] => 7 [id] => 1 [test] => \">XXX [cookie_test] => ThankYou [osCsid] => long string [osC_AutoCookieLogin] => long string [wish] => a:1:{i:7;a:1:{i:0;s:1:\"7\";}} [cart] => a:1:{i:11;a:1:{s:3:\"qty\";i:1;}} ) Total impact: 8 Affected tags: xss, csrf Variable: REQUEST.test | Value: \">XXX Impact: 4 | Tags: xss, csrf Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1 Variable: GET.test | Value: \">XXX Impact: 4 | Tags: xss, csrf Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1 =============================== doesn't appear to show any errors next stop - application_top jk Quote Link to comment Share on other sites More sharing options...
jfkafka Posted December 10, 2010 Share Posted December 10, 2010 Found the problem It was the nut behind the wheel! Thanks for your patience and support, Celextel jk Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.