SoftwareSecurity2013/Group 42/Code Scanning/ResultsFortify
Level | Critical |
---|---|
Message | Dangerous File Inclusion (4 warnings) |
ASVS Category | V5: Input Validation |
Function causing warning |
|
Fortify description | Abstract:
The file <filename> passes an unvalidated filename to a dynamic include statement on line <line>. Allowing unvalidated user input to to control files that are included dynamically in PHP can lead to malicious code execution. |
Functions sending data to affected function |
|
Manual code inspection | Fortify raises a security warning since part of the filename that is to be included is obtained from the environment.
However, an attacker is unable to directly affect the environment variables. The environment variable MW_INSTALL_PATH is set when Mediawiki is configured to use Hiphop-PHP, at maintenance/hiphop/run-server line 38. It can be easily seen that it is set to realpath(__DIR__."/../.."), meaning an attacker cannot affect the variable. |
Verdict | False positive |
Verdict comments | Attacker is unable to affect environment variable |
Level | Critical |
---|---|
Message | Dangerous File Inclusion (1 warning) |
ASVS Category | V5: Input Validation |
Function causing warning |
|
Fortify description | Abstract:
The file geshi.php passes an unvalidated filename to a dynamic include statement on line 3756. Allowing unvalidated user input to to control files that are included dynamically in PHP can lead to malicious code execution. |
Functions sending data to affected function | extensions/SyntaxHighlight_GeSHi/geshi/contrib/example.php:46 → new GeSHi($_POST['source'], $_POST['language']); |
Manual code inspection | The GeSHi constructor immediately calls GeSHI::set_language if the language variable is nonempty. Within GeSHI::set_language the variable is santized by removing all characters other than a-z, A-Z, 0-9, - and _. Consecutively, GeSHi::load_language is called with sanitized input. |
Verdict | False positive |
Verdict comments | Input is properly sanitized |
Level | Low |
---|---|
Message | Command Injection (2 warnings) |
ASVS Category | V5: Input Validation |
Function causing warning |
|
Fortify description | Abstract:
Line <line> in GlobalFunctions.php calls popen() to execute a command. This might allow an attacker to inject malicious commands. |
Functions sending data to affected function | None specified |
Manual code inspection | popen is called on data that need not be sanitized by escapeshellcmd and/or escapeshellcmd (the built-in PHP shell santization functions). Instead it calls wfEscapeShellArg, a custom function that should sanitize the input. Assuming this function does its job this is a false positive. |
Verdict | False positive |
Verdict comments | Input is properly sanitized |
Level | Low |
---|---|
Message | Command Injection (1 warning) |
ASVS Category | V5: Input Validation |
Function causing warning |
|
Fortify description | Abstract:
Line 2854 in GlobalFunctions.php calls passthru() with a command built from untrusted data. This call can cause the program to execute malicious commands on behalf of an attacker. |
Functions sending data to affected function |
|
Manual code inspection | The PATH variable from the environment is used to find executables that Mediawiki uses.
However, an attacker cannot influence this variable. |
Verdict | False positive |
Verdict comments | Attacker is unable to influence the required variable |
Level | Low |
---|---|
Message | Command Injection (1 warning) |
ASVS Category | V5: Input Validation |
Function causing warning |
|
Fortify description | Abstract:
Line 1099 in Export.php calls proc_open() to execute a command. This might allow an attacker to inject malicious commands. |
Functions sending data to affected function |
None specified |
Manual code inspection | $command is in deed fed to proc_open unsanitized, however no trace is given where this could lead to malicious command execution.
Also, when sanitizing the input here, the programmer loses flexibility in passing arguments to the command (s)he wishes to execute. Therefore the sanitization should perhaps be performed by the caller. |
Verdict | False positive |
Verdict comments | The caller of the function is responsible for santization for flexibility reasons. No attack vectors are given. |
Level | Low |
---|---|
Message | Command Injection (1 warning) |
ASVS Category | V5: Input Validation |
Function causing warning |
|
Fortify description | Abstract:
Line 722 in FSFileBackend.php calls popen() to execute a command. This might allow an attacker to inject malicious commands. |
Functions sending data to affected function |
None specified |
Manual code inspection | $fileOpHandle->cmd is in deed fed to popen unsanitized, however no trace exists where user input is fed to this function.
When sanitizing the input here, the programmer loses flexibility in passing arguments to the command (s)he wishes to execute. Therefore the sanitization should perhaps be performed by the caller. |
Verdict | False positive |
Verdict comments | The caller of the function is responsible for santization for flexibility reasons. No attack vectors are given. |
Level | Medium |
---|---|
Message | Cross-Site Scripting (1 warning) |
ASVS Category | V5: Input Validation |
Function causing warning |
|
Fortify description | Abstract:
In GlobalFunctions.php, the program uses HTML, XML or other type of encoding that is not always enough to prevent malicious code from reaching the web browser. |
Functions sending data to affected function |
|
Manual code inspection | htmlspecialchars is used, which sanitizes <, > and double quotes. It does not, however, sanitize single quotes without the ENT_QUOTES flag set.
When using htmlspecialchars without ENT_QUOTES for printing user-supplied data one must be very careful not to use this within attributes enclosed with single quotes, or else an attacker may break out of the attribute and inject javascript code. In this particular case the user-supplied data is printed in the body and not within an html tag. Therefore escaping < and > is sufficient. |
Verdict | False positive |
Verdict comments | Would be better to pass the ENT_QUOTES flag to htmlspecialchars as a code convention. |
Level | Medium |
---|---|
Message | Cross-Site Scripting (1 warning) |
ASVS Category | V5: Input Validation |
Function causing warning |
|
Fortify description | Abstract:
In cssgen.php, the program uses HTML, XML or other type of encoding that is not always enough to prevent malicious code from reaching the web browser. |
Functions sending data to affected function |
|
Manual code inspection | The default-styles GET variable is obtained and, along with other values, appended to the stylesheet variable.
The stylesheet is then echo'ed without proper input sanitation. Fortunately wikimedia takes appropriate measures by setting the HttpOnly flag on session cookies by default. However, an attacker may be able to bypass this when method TRACE is enabled by the http server mediawiki is running on. |
Verdict | Vulnerable |
Verdict comments | Proof of concept: |
Level | Medium |
---|---|
Message | Cross-Site Scripting (1 warning) |
ASVS Category | V5: Input Validation |
Function causing warning |
|
Fortify description | Abstract:
In example.php, the program uses HTML, XML or other type of encoding that is not always enough to prevent malicious code from reaching the web browser. |
Functions sending data to affected function |
|
Manual code inspection | htmlspecialchars is used, which sanitizes <, > and double quotes. It does not, however, sanitize single quotes without the ENT_QUOTES flag set.
When using htmlspecialchars without ENT_QUOTES for printing user-supplied data one must be very careful not to use this within attributes enclosed with single quotes, or else an attacker may break out of the attribute and inject javascript code. In this particular case the user-supplied data is printed in the body and not within an html tag. Therefore escaping < and > is sufficient. |
Verdict | False positive |
Verdict comments | Would be better to pass the ENT_QUOTES flag to htmlspecialchars as a code convention. |
Level | Medium |
---|---|
Message | Cross-Site Scripting (1 warning) |
ASVS Category | V5: Input Validation |
Function causing warning |
|
Fortify description | Abstract:
In GlobalFunctions.php, the program uses HTML, XML or other type of encoding that is not always enough to prevent malicious code from reaching the web browser. |
Functions sending data to affected function |
|
Manual code inspection | htmlspecialchars is used, which sanitizes <, > and double quotes. It does not, however, sanitize single quotes without the ENT_QUOTES flag set.
When using htmlspecialchars without ENT_QUOTES for printing user-supplied data one must be very careful not to use this within attributes enclosed with single quotes, or else an attacker may break out of the attribute and inject javascript code. In this particular case the user-supplied data is printed in the body and not within an html tag. Therefore escaping < and > is sufficient. |
Verdict | False positive |
Verdict comments | Would be better to pass the ENT_QUOTES flag to htmlspecialchars as a code convention. |