ISPConfig Protocol full of PHP IDS alerts

Discussion in 'General' started by Hbod, Mar 7, 2018.

  1. Hbod

    Hbod Member

    Hi,

    when I save some custom email filters inside the ispconfig backend, I receive a ton of red warning alerts in my log as my "filters" are treaded as malicious. It looks like it did not affect the saving but the log.


    [INTERFACE]: PHP IDS Alert.Total impact: 27<br/> Affected tags: xss, csrf, id, rfe, sqli, lfi<br/> <br/> Variable: POST.custom_mailfilter | Value:

    As I tried a lot and saved like 40 times, I had 40 entries. Should't custom mailfilter we excluded from those checks?

    ...
    require [&quot;fileinto&quot;, &quot;regex&quot;]; if header :contains &quot;subject&quot; [&quot;Rechnung&quot;, &quot;Receipt&quot;, &quot;Beleg&quot;, &quot;Invoice&quot;, &quot;Quittung&quot;] { fileinto &quot;2018&quot;; redirect
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, we might have to exclude that if it causes too many issues in that form part. You can set the score in security_settings.ini to a higher value so that the IDS does not get triggered.
     
  3. Jesse Norell

    Jesse Norell Well-Known Member

    It would probably be good to collect verifiably legitimate use that trips the IDS and add those fields to the ids whitelist, so people can leave the IDS enabled. I created a merge request to include a few I've seen on our system.

    @Hbod, run
    Code:
    grep POST.custom_mailfilter /usr/local/ispconfig/interface/temp/ids.log | sort -u
    to get the user level ('user' and/or 'admin') and file path, and put that info here or in https://git.ispconfig.org/ispconfig/ispconfig3/merge_requests/762
     
    till and ahrasis like this.

Share This Page