RIPS is a static source code analyser for vulnerabilities in PHP webapplications. It was released during the Month of PHP Security (www.php-security.org). NOTE: RIPS 0.5 development is abandoned. A complete rewrite is in development and used as an academic prototype but not publicly available yet.

RIPS CHANGELOG
===============

RIPS 0.53
----------
	- fixed bug with includes (thanks to Ryan Dewhurst)

RIPS 0.52
----------
	Code analysis:
	- fixed bug where RIPS hangs on includes building a loop 1->2->3->1->2->3->1... (thanks to Michael Hoffmann)
	- fixed bug where RIPS string analyzer hangs on certain array keys coming from foreach statements (thanks to Ricky-Lee Birtles)
	- fixed bug where RIPS hangs on certain switch statements (thanks to Jay Bonci)
	- fixed bug with wrong brace wrapping for "case x;" instead of "case x:" statements
	- fixed bug with wrong brace wrapping when if-clause contains only 1 token or in a try/catch block
	- fixed bug with parameter count in interprocedural analysis
	- fixed bug with register_globals implementation and constants
	- fixed bug with tokenizing a do-while in a do-while
	- fixed bug with wrong boundary detection when a function is declared in another function
	- fixed bug with wrong file pointer of included files, improved include rate
	- added auto_prepend/append_file support, improved include_path support (thanks to Jay Bonci)
	- added support for func_get_args() and func_get_arg()
	- added support for alternative syntax for control structures (while(): ... endwhile;)
	- added new sensitive sinks
	- added experimental option SCAN_REGISTER_GLOBALS (/config/general.php)
	- added parsing errors to verbosity level = debug, improved code stability
	
	Interface:
	- added stylesheet "print" (thanks to Kurt Payne)
	- added scrollbars to function code on mouseover
	- disabled graphs for large projects (>50 files) due to performance
	- improved output when a vulnerability is found multiple times (e.g. by multiple inclusion of a vulnerable file)
	- fixed bug with style of multiline comments in code viewer
	- optimized code viewer with file preview window

RIPS 0.51
----------
	- fixed bug with apache_setenv() for non-Apache webservers
	- fixed bug in leakscan preloader

RIPS 0.50
----------
	Code analysis:
	- added about 30 new sensitive sinks and some new userinput functions
	- RIPS now traces codeblocks, not lines anymore 
		-> code in one line without whitespaces ("obfuscated") is now possible to analyse
		-> this also fixes several known bugs
	- RIPS now handles arrays and its keys a lot more accurate
		-> arrays are handled as variables with saved keys
		-> dynamic key values are resolved
		-> this also fixes several known bugs
	- RIPS is now recoded object oriented
		-> structure is better
		-> code easier to understand
	- fixes bug when an old define is overwritten by a new one	
	- ignores "@" for correct detection of connected tokens
	- added leakscan: trace if return value of tainted sensitive sink is echo'd (non-blind/blind exploitation)
	- fixed lots of securing detection bugs
	- automatically scans for register_globals implementation (extract, parse_str, $$key = $value, import_request_variables, etc.) 
	- lots of new testcases added and fixed
	- improved reconstruction of file names to be included
	- set_time_limit is set to 0 now
	
	Interface:
	- included SaveGraph patch	
	- added preloader information about current scanning status (thanks for the input, Michael Hoffmann)
	- added links to the stats window to other windows	
	- fixed bug with color highlighting in regex search results
	- improved jumping between functions in scan result
	- moved http response splitting to clientside vulnerability list	

RIPS 0.40 SaveGraph Patch:
----------
	- added option to save HTML5 canvas graph as image (feature request by ksaok)

RIPS 0.40:
----------
	Code analysis:
	- fixed bug with vartrace and different dependencies (if(condition) $var=1; else $var=2;)
	- fixed bug with string reconstruction of included files (include("/foo/$var/bar");)
	- improved file inclusion rate (name reconstruction, consider include_path, try to guess file)	
	- fixed bug with usage of defined CONSTANTs (thanks to Dawid) 
	- fixed bug with successful inclusion and FI vulnerability within one inclusion
	- fixed bug with FI vulnerability and function call (require urldecode($_GET['a']))
	- fixed bug with overwritten parameter vars in user-defined function
	- fixed bug with two sensitive sinks in one userdefined functions affected by different parameters
	- improved ternary operator handling
	- added quote analysis for more precise securing detection (mysql_query("SELECT ".addslashes($id)); =vuln)
		(still some bugs with quote analysis, TBD)
	- added vulnerability type 'Unserialize' to scan for POP gadgets
	
	Interface:
	- fixed bug with exploit creator and error_reporting=on (thanks Gregory and others)
	- moved info gathering to seperate verbosity level, removed info about program exits
	- added maximize button to code viewer
	- added graph for file inclusion visualization
	- added graph for function call and vulnerability flow visualization
	- added pie chart for result
	- grouped vulnerable lines for each vulnerability
	- added new color schema 'ayti' and improved other color schemas
	- fixed bug with vulnerable functions in the result that have not been called with userinput
	- fixed bug with multiline comments in the code viewer
	- added link to stats to show only vulns of specific type (click on vulnerability type)	
	- added color highlighting for regex search results
	- changed stylesheet is now tracked permanently by cookie

RIPS 0.35:
----------
	- added ini_set("auto_detect_line_endings", true) to support MAC OSX newlines
	- added preg_match(_all) support with $matches array
	- prevented getmultiline() funtion to recursively loop for more than 10 rows (tracker ID: 3075359, thanks to lexak)
	- added vulnerability type 'LDAP Injection'
	- fixed bug with wrong detection of user defined securing functions using for-loops
	- fixed critical bug with wrong detection of securing during inter-procedual analysis
	- fixed bug with not detected function calls in included files and case-sensitive function names
	- fixed bug with userinput returned by user-defined functions

RIPS 0.34:
----------
	- fixed false positive when userinput is overwritten: $_GET['c']=1; exec($_GET['c']);
	- fixed critical bug with missing scan results
	- added more database securing and tainting functions (thanks to Yasuo Ohgaki)

RIPS 0.33:
----------
	Code analysis:
	- added vulnerability type 'XPath Injection'
	- implemented $F_INSECURING_STRING (list of functions like urldecode() that can re-taint already sanitized data) 
	- fixed bug with $GLOBALS[] (ignore previous local vars, accept only global vars)
	- improved tainted $_SESSION (=global var) handling
	- fixed bug with tainting functions not displayed in the result tree
	- fixed bug with differently used quotes in array['"parameter'"] during traceback
	- added compact() support
	- ignore upper/lowercase in function names because PHP does not (sYsTem())
	- scan for dynamic function calls $variable() (possible code exec)
	
	Interface:
	- added missing taint-highlighting in the first line of PVF tree
	- added file list: listing all scanned files and includes
	- added list of function calls to each list item of user-defined functions
	- added help button for simple visualization, description, example, PoC, patch and securing function list in a new window
	- RIPS warns you when scan may last very long (counts files to scan)
	- added AJAX interface with scan animation
	- added scan result statistics and graphs
	- highlight variables onMouseOver in code viewer and scan result. persistent highlight onClick.
	- code viewer now supports active jumping between function calls and declarations 
		(click on function call to jump to declaration, click "return" to jump back to the call)
	- added regex search function 
	- windows are now resizeable
	- added curl headers for all tainting $_SERVER parameters in the exploit creator

RIPS 0.32:
----------
	Code analysis:
	- rebuild PVF config (FILE, CODE and SYSTEM PVF into FILE_READ, FILE_AFFECT, FILE_INCLUDE and EXEC PVF)
	- added $_SERVER parameters that are tainting to the config (example: $_SERVER['PHP_SELF'];)
	- fixed bug with securing detection of global string securing functions (example: md5($a.$b);)
	- fixed bug where the first token of an included file was ignored
	
	Interface:
	- added a little howto to the welcome page
	- added more detailed vulnerability types to scan for
	- added vulnerability name to each find (name still present during minimization of output block)
	- added .phps-tainted-var for highlighting tainting vars in the trace output
	- added explaination to inter-procedual analysis results
	- added RIPS logo (created by Gareth Heyes, thank you)
	- added a option to change the output tree from bottom-up to top-down (requested by Joel, thank you)
	- fixed bug with missing link by inter-procedual analysis when function name appeared in the "requires" list

RIPS 0.31:
----------
	Code analysis:
	- improved RIPS code + performance 
		(http://code.google.com/speed/articles/optimizing-php.html)
		(http://www.wmtips.com/php/tips-optimizing-php-code.htm)
	- improved securing detection by detecting automatic type casts	
	- added connection poisoning PVFs
	- added support for $arrays{'a'} with curly braces
	- added missing support for tainted OO function with XSS
	- added a missing class-to-variable association when using a constructor call instead the keyword 'new'
	- fixed bug where successful file inclusions were scanned again for a file inclusion vulnerability
	- fixed bugs with detecting commands written over several code lines (reported by Stefan Esser & Pragmatk)
		(patch does not solve all multi-line bugs)
	- corrected analysis of variables marked as 'global'	
	
	Interface:
	- better arranged user input list
	- added option to highlight variables in the CodeViewer by click
	- added vulnerability type "All" to scan client- and server-side vulns simultaneously 
	- added missing exploit button for direct-tainted XSS vulnerabilities