Action: |
Done by: |
Date: |
Time spent: |
Comments: |
Follow up actions:
|
Install+config of FluxBB on webserver |
Maurice |
4/12/2012 |
1 hour |
Installation is pretty simple |
None.
|
First look at FluxBB |
Jeroen |
4/12/2012 |
30 minutes |
PHP doesn't look as bad as expected. |
None.
|
Installation, configuration and run RATS |
Mark & Aram |
4/13/2012 |
2 hours |
Might be useful, but it looks like it generates a lot of false positives |
We have to check up on possible false positives.
|
Install+test RIPS |
Aram + Mark |
4/13/2012 |
2 hours |
Simple to install, output looks interesting. Serious potential bugs like command execution, SQL injection and file inclusion we investigated were all false positives. |
Review all the output for true positives?
|
Analyze RATS output, email.php |
Aram + Jeroen |
4/13/2012 |
2 hours |
Even after reading RFC's it seems foolproof. |
None.
|
Install+test PHPLint and Pixy |
Jeroen |
4/13/2012 |
3 hours |
Easy to install, PHPLint looks useless, Pixy looks useful. |
Have a closer look at Pixy.
|
Installation, configuration and run CodeSecure |
Mark |
4/16/2012 |
3 hours |
This license only excepts up to 10k lines of code, FluxBB has more. Freezes during scan with large file numbers. Does work for smaller amount of files. |
Will try this again on a different system.
|
Tried CodeSecure on a different system |
Mark |
4/18/2012 |
1 hour |
Ran into the same problems. |
Somebody else has to try this.
|
Added info and tested CodeSecure some more |
Mark |
4/20/2012 |
2 hours |
Could not verify the results. |
Unless somebody else tries it and can provide some results to compare, I would say we should not use this tool.
|
Install+test RIPS |
Maurice |
4/22/2012 |
2 hours |
Installation is pretty straighforward, output looks nice |
Analyze output for false positives.
|
Install+test RATS |
Maurice |
4/22/2012 |
40 minutes |
Pretty easy to install under linux, runs extremely quickly. |
Analyze output for false positives as there seem to be too many problems.
|
Download CodeSecure |
Maurice |
4/22/2012 |
1 hour |
The CodeSecure website is sloooow... |
Actually use the software.
|
Install+test CodeSecure, minify FluxBB source |
Maurice |
4/22/2012 |
4 hours |
The licence is very crippling and minifying php code is simple but leaves it totally illegible |
Decipher results to see what it actually found.
|
Analyze RIPS output |
Maurice |
4/22/2012 |
1 hour |
Good looking output, but there is a LOT of it depending on the verbosity settings. |
-
|
Last tests PHPLint and documentation |
Jeroen |
4/22/2012 |
1 hour |
PHPLint is useless to us. |
None.
|
Pixy output and documentation |
Jeroen |
4/22/2012 |
1.5 hour |
Pixy is nice. |
None.
|
Installed, running and analysing the result of YASCA |
Mark |
4/22/2012 |
3 hours |
Simple to install and use, output looks limited compared to other tools |
-
|
Typed reflection and result of YASCA + reading of wiki info |
Mark |
4/22/2012 |
2 hours |
Was a little difficult to write about YASCA with such limited info |
-
|
Meeting/Discussion |
Maurice + Jeroen + Aram + Mark |
5/25/2012 |
1 hour |
Verify the output of the tools |
-
|
Meeting/Discussion |
Maurice + Jeroen + Aram + Mark |
6/1/2012 |
1 hour |
Start thinking about OWASP requirements + take a look at the sourcecode of FluxBB |
-
|
Review of FluxBB for exploitable bugs using RIPS, RATS and manual source code review / live testing |
Aram |
6/3/2012 |
2 hours |
No source of input conclusively determined to be insecure.
|
Meeting/Discussion |
Maurice + Jeroen + Aram + Mark |
6/8/2012 |
2 hours |
Continue thinking about OWASP requirements + looking at the sourcecode of FluxBB |
-
|
Meeting/Discussion |
Maurice + Jeroen + Aram + Mark |
6/15/2012 |
1.5 hours |
- |
-
|
Updating Wiki |
Maurice + Jeroen + Aram + Mark |
6/19/2012 |
6 hours |
Update Wiki with our findings. |
-
|