SoftwareSecurity2012/Group 3/Code Scanning
Results of RIPS
RIPS is a tool written in PHP to find potentially vulnerable functions (PVF) in PHP applications using static code analysis.
RIPS can be completely controlled by a web interface. To start a scan a user has to provide a file or directory name, choose the vulnerability type and click scan. Additionally a verbosity level can be chosen to improve the results:
- The default verbosity level 1 scans only for PVF calls which are tainted with user input without any detected securing actions in the trace.
- The second verbosity level also includes files and database content as potentially malicious user input. This level is important to find vulnerabilities with a persistent payload storage but it might increase the false positive rate.
- The third verbosity level will also output secured PVF calls. This is important to detect insufficient securings which are sometimes hard to detect by a static source code analyzer automatically.
- The fourth verbosity level also shows additional information RIPS collected during the scan. This includes found exits, notes about the success of analyzing included files and calls of functions that has been done in the interesting functions array. On large PHP applications this information gathering can lead to a very large scan result.
- The last verbosity level 5 shows all PVF calls and its traces no matter if tainted by user input or not. This can be useful in scenarios where a list of static input to PVF calls is of interest. However this verbosity level can lead to a lot of false positives.
the following is a statistics table generated by RIPS containing a summary of all found vulnerabilities:
Scanned files: | 32 |
Include success: | 345/811 (43%) |
Considered sinks: | 7 |
User-defined functions: | 26 |
Unique sources: | 250 |
Sensitive sinks: | 3764 |
All found PVF calls and their traces are shown syntax highlighted to the user divided in blocks, following table contains an example of a PVF alert found by RIPS
Cross-Site Scripting |
---|
Userinput reaches sensitive sink. |
17: exit exit ; // register.php requires: 22: if($action == 'rules') 14: if(!$pun_user['is_guest'])| |
Vulnerability is also triggered in: |
|
Results of RATS
The RATS tool is a (very) fast scanner focused on finding the following types of problems[1]:
- Buffer overflows
- Format string problems
- Shell executions
- Insecure TMPfiles
- Race conditions
- Access violations
- Weak random
- User input
RATS has a warning level functionality (level 1, 2 or 3) determining which type of warnings you want have as output (i.e., only severe warnings or also low). The default level is 2, however we ran the tool at its highest warning level (3). This still produced a limited amount of warnings, especially compared to other scanning tools we tried out. We used RATS with the following command (all .php files have to be specified separately):
rats -w 3 ../fluxbb/edit.php ../fluxbb/index.php ../fluxbb/login.php ../fluxbb/db_update.php ../fluxbb/delete.php ../fluxbb/post.php ../fluxbb/admin_bans.php ../fluxbb/admin_categories.php ../fluxbb/admin_censoring.php ../fluxbb/admin_forums.php ../fluxbb/admin_groups.php ../fluxbb/admin_index.php ../fluxbb/admin_loader.php ../fluxbb/admin_maintenance.php ../fluxbb/admin_options.php ../fluxbb/admin_ranks.php ../fluxbb/admin_permissions.php ../fluxbb/admin_reports.php ../fluxbb/admin_users.php ../fluxbb/extern.php ../fluxbb/footer.php ../fluxbb/header.php ../fluxbb/help.php ../fluxbb/install.php ../fluxbb/misc.php ../fluxbb/moderate.php ../fluxbb/profile.php ../fluxbb/register.php ../fluxbb/search.php ../fluxbb/userlist.php ../fluxbb/viewforum.php ../fluxbb/viewtopic.php ../fluxbb/include/cache.php ../fluxbb/include/common.php ../fluxbb/include/common_admin.php ../fluxbb/include/email.php ../fluxbb/include/functions.php ../fluxbb/include/parser.php ../fluxbb/include/search_idx.php ../fluxbb/include/dblayer/common_db.php ../fluxbb/include/dblayer/mysql.php ../fluxbb/include/dblayer/mysql_innodb.php ../fluxbb/include/dblayer/mysqli.php ../fluxbb/include/dblayer/mysqli_innodb.php ../fluxbb/include/dblayer/pgsql.php ../fluxbb/include/dblayer/sqlite.php
The output of the tool contained a small amount of warnings, mostly related to the use of certain functions like fopen. A few examples are given below (note that the severity low warnings are given because the command specified warning level 3:
File: ../fluxbb/include/functions.php
Lines:
2020
Severity: High
Issue: mail
Arguments 1, 2, 4 and 5 of this function may be passed to an external program. (Usually sendmail). Under Windows, they will be passed to a remote email server. If these values are derived from user input, make sure they are properly formatted and contain no unexpected characters or extra data.
File: ../fluxbb/include/dblayer/sqlite.php
Lines:
49
Severity: Medium
Issue: fsockopen
Argument 1 to this function call should be checked to ensure that it does not come from an untrusted source without first verifying that it contains nothing dangerous.
File: ../fluxbb/include/cache.php
Lines:
29 57 85 130 192 228 257
Severity: Low
Issue: fixed size local buffer
A potential race condition vulnerability exists here. Normally a call to this function is vulnerable only when a match check precedes it. No check was detected, however one could still exist that could not be detected.
File: ../fluxbb/profile.php
Lines:
399
Severity: Low
Issue: is_dir
A potential TOCTOU (Time Of Check, Time Of Use) vulnerability exists. This is the first line where a check has occured. No matching uses were detected.
- 10x W3C standards (Javascript)
- 14x XSS
- 4x Performance: Function Within Loop Declaration
- 47x Possible Licensing Restrictions
- 27x Performance: Post-Increment of Simple Variable
- 2x Bug: Script Tag in JavaScript file
Results of YASCA
YASCA is an open source tool which looks for security vulnerabilities, code-quality, performance, and conformance to best practices in program source code. It is possible to let YASCA make use of other tools like RATS or JLINT as if they where plugins.
Running YASCA without plugins will give a little over 100 warnings divided in the following types:
W3C standards (Javascript)
These warnings are caused by the javascript functions getAttribute, setAttribute that are used. The warning states that they are not supported by IE5.5 and possibly also not by IE6 and/or IE7. These errors are usually regarding very old outdated IE browsers. If a lot of these warnings occur one might decide not to support IE5.5 and/or IE6.
Cross Site Scripting
Some of the warnings thrown here seem totally valid while others can't be determined until the code is examined further.
Performance: Function Within Loop Declaration
All generated warnings are accurate. Using a function within a for loop results in it being executed many times; it should probably be placed before the loop. But if the used loops are small the performance loss is really minimal.
An example line which triggered the error is: "for ($i = 0; $i < count($addresses); ++$i)".
Possible Licensing Restrictions
This is regarding the following line: "License: http://www.gnu.org/licenses/gpl.html GPL version 2 or higher" which can be found in 47 source files in fluxbb. These warnings are not important if licensing is honored. It would be better if this warning was thrown once instead of 47 times.
Performance: Post-Increment of Simple Variable
A basic for loop will trigger this error. The reason for this is as follows: "Simple variable increments should always be pre-increment. (i.e. ++$foo instead of $foo++. The former can be approximately 20% faster."
Bug: Script Tag in JavaScript file
Will give two warnings which are both false positives. The thing YASCA warns about is:
One may not combine the two, as in: <script language="javascript" src="my_script.js"> <div style="color:red;font-weight: bold;">alert('Foo Bar');</a> </script>
It is probably hard to scan for these kind of bugs if php is used and output is echo-ed.
Results of CodeSecure
Unfortunately we couldn't use the tool due to licensing restrictions. This is explained in the SoftwareSecurity2012/Group_3/Code_Scanning_Reflection wiki.