IDS Possible Attack Detection Cookie Problem

Discussion in 'Installation/Configuration' started by Trimilur, Apr 27, 2020.

  1. Trimilur

    Trimilur New Member

    I am currently expriencing the following bug "Possible attack detected. This action has been logged."



    Code:
    [INTERFACE]: PHP IDS Alert.Total impact: 32
    <br/> Affected tags: sqli, id, lfi, xss, csrf, rfe<br/>
    <br/> Variable: COOKIE.paypalplus_session_v2 |
    Value:{&quot;mode&quot;:&quot;sandbox&quot;,&quot;useraction&quot;:&quot;commit&quot;
    ,&quot;language&quot;:&quot;de_DE&quot;,&quot;country&quot;:&quot;DE&quot;,&quot;ecToken&quot;:&quot;EC-8JX009565A671943C&quot;,&quot;thirdPartyMethods&quot;:
    {},
    &quot;paymentMethod&quot;:&quot;pp-db2fae5d7a8068bc159f4e8c1ea36294&quot;}<br/> Impact: 32 | Tags: sqli, id, lfi, xss, csrf, rfe<br/>
    Description: Detects classic SQL injection probings 2/2 | Tags: sqli, id, lfi | ID 43<br/>
    Description: Detects basic SQL authentication bypass attempts 2/3 | Tags: sqli, id, lfi | ID 45<br/>
    Description: Detects basic SQL authentication bypass attempts 3/3 | Tags: sqli, id, lfi | ID 46<br/>
    Description: Detects MySQL comment-/space-obfuscated injections and backtick termination | Tags: sqli,
    id | ID 57<br/> Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection |
    Tags: xss, csrf, id, rfe, lfi | ID 67<br/> <br/>

    It is caused by a wordpress site with woocommerce and paypal plus plugin which obviously sets a bad paypal plus cookie. Th WP site is running on xxx.de and ispconfig on a subdomain of xxx.de. Do you know how I can solve this problem cause I always get now "Possible attack detected. This action has been logged." when I try to log in after visiting the wordpress site.

    My idea would be to allow this specific cookie in the ids.whitelist just do not really know how and it might even be kinda the worst solution by security reasons.

    Wordpress 5.4
    ISPconfig 3.1.15p3

    I know the answer of till to a similar problem
    but i cannot really change the paypal plus cookie
     
    Last edited: Apr 27, 2020
  2. Jesse Norell

    Jesse Norell ISPConfig Developer ISPConfig Developer

    As you suspect, you can configure the ids whitelist to ignore that (use file /usr/local/ispconfig/security/ids.whitelist.custom), or you could configure your web server to delete the cookie from the request before passing it to php.
     
  3. Trimilur

    Trimilur New Member

    alright, i honestly just dont know what exactly i have to put in ids.whitelist
     
  4. Jesse Norell

    Jesse Norell ISPConfig Developer ISPConfig Developer

    You'll have to see what php file(s) are triggering, but based on your above output,
    Variable: COOKIE.paypalplus_session_v2 is what needs whitelisted. Eg. say it triggers when logging in, try:
    Code:
    admin:/login/index.php:COOKIE.paypalplus_session_v2
    user:/login/index.php:COOKIE.paypalplus_session_v2
    any:/login/index.php:COOKIE.paypalplus_session_v2 
    
    If it triggers on every single request/php script, probably there's a better solution. Delete the cookie in your browser, or use your browser in incognito mode, or remove the cookie via your web server.
     
  5. Trimilur

    Trimilur New Member

    it does not really satisfy me. Why is by any chance the paypal plus cookie at all triggering the ids?

    so the ids.log says that ids is triggered at ea ch php script becuse of the paypal cookie
     
    Last edited: Apr 27, 2020
  6. Jesse Norell

    Jesse Norell ISPConfig Developer ISPConfig Developer

    Fair enough. You could work on the other side and fix the PayPal plus plugin to not set the cookie for all subdomains, but only where you actually are using it. Or even use a different domain for the two, to avoid the issue entirely.

    Because the contents of the cookie match a few of the built in IDS signatures.

    Yeah, I figured it might. @till, do you know if there is a way to whitelist this cookie for all scripts in the IDS whitelist? It's not very practical to specify every single PHP file for a case like this.
     

Share This Page