SoftwareSecurity2013/Group 42/Code Scanning/ResultsFortify

Uit Werkplaats
Ga naar: navigatie, zoeken
Level Critical
Message Dangerous File Inclusion (4 warnings)
ASVS Category V5: Input Validation
Function causing warning
  • extensions/ConfirmEdit/maintenance/GenerateFancyCaptchas.php:30 → global scope
  • extensions/LocalisationUpdate/update.php:8 → global scope
  • extensions/Renameuser/renameUserCleanup.php:30 → global scope
  • extensions/Renameuser/cleanupArchiveUserText.php:8 → global scope
Fortify description Abstract:

The file <filename> passes an unvalidated filename to a dynamic include statement on line <line>. Allowing unvalidated user input to to control files that are included dynamically in PHP can lead to malicious code execution.

Functions sending data to affected function
  • maintenance/hiphop/run-server:38 → sets environment variable
Manual code inspection Fortify raises a security warning since part of the filename that is to be included is obtained from the environment.

However, an attacker is unable to directly affect the environment variables. The environment variable MW_INSTALL_PATH is set when Mediawiki is configured to use Hiphop-PHP, at maintenance/hiphop/run-server line 38. It can be easily seen that it is set to realpath(__DIR__."/../.."), meaning an attacker cannot affect the variable.

Verdict False positive
Verdict comments Attacker is unable to affect environment variable


Level Critical
Message Dangerous File Inclusion (1 warning)
ASVS Category V5: Input Validation
Function causing warning
  • extensions/SyntaxHighlight_GeSHi/geshi/geshi.php:3756 → GeSHi::load_language($file_name)
Fortify description Abstract:

The file geshi.php passes an unvalidated filename to a dynamic include statement on line 3756. Allowing unvalidated user input to to control files that are included dynamically in PHP can lead to malicious code execution.

Functions sending data to affected function extensions/SyntaxHighlight_GeSHi/geshi/contrib/example.php:46 → new GeSHi($_POST['source'], $_POST['language']);
Manual code inspection The GeSHi constructor immediately calls GeSHI::set_language if the language variable is nonempty. Within GeSHI::set_language the variable is santized by removing all characters other than a-z, A-Z, 0-9, - and _. Consecutively, GeSHi::load_language is called with sanitized input.
Verdict False positive
Verdict comments Input is properly sanitized


Level Low
Message Command Injection (2 warnings)
ASVS Category V5: Input Validation
Function causing warning
  • includes/GlobalFunctions.php:2960 → wfMerge($old, $mine, $yours, &$result)
  • includes/GlobalFunctions.php:2972 → wfMerge($old, $mine, $yours, &$result)
Fortify description Abstract:

Line <line> in GlobalFunctions.php calls popen() to execute a command. This might allow an attacker to inject malicious commands.

Functions sending data to affected function None specified
Manual code inspection popen is called on data that need not be sanitized by escapeshellcmd and/or escapeshellcmd (the built-in PHP shell santization functions). Instead it calls wfEscapeShellArg, a custom function that should sanitize the input. Assuming this function does its job this is a false positive.
Verdict False positive
Verdict comments Input is properly sanitized
Level Low
Message Command Injection (1 warning)
ASVS Category V5: Input Validation
Function causing warning
  • includes/GlobalFunctions.php:2854 → wfShellExec($cmd, &$retval, $environ, $limits)
Fortify description Abstract:

Line 2854 in GlobalFunctions.php calls passthru() with a command built from untrusted data. This call can cause the program to execute malicious commands on behalf of an attacker.

Functions sending data to affected function
  • includes/installer/Installer.php:1164 → Installer::getPossibleBinPaths()
Manual code inspection The PATH variable from the environment is used to find executables that Mediawiki uses.

However, an attacker cannot influence this variable.

Verdict False positive
Verdict comments Attacker is unable to influence the required variable


Level Low
Message Command Injection (1 warning)
ASVS Category V5: Input Validation
Function causing warning
  • includes/Export.php:1099 → DumpPipeOutput::startCommand($command)
Fortify description Abstract:

Line 1099 in Export.php calls proc_open() to execute a command. This might allow an attacker to inject malicious commands.

Functions sending data to affected function

None specified

Manual code inspection $command is in deed fed to proc_open unsanitized, however no trace is given where this could lead to malicious command execution.

Also, when sanitizing the input here, the programmer loses flexibility in passing arguments to the command (s)he wishes to execute. Therefore the sanitization should perhaps be performed by the caller.

Verdict False positive
Verdict comments The caller of the function is responsible for santization for flexibility reasons. No attack vectors are given.


Level Low
Message Command Injection (1 warning)
ASVS Category V5: Input Validation
Function causing warning
  • includes/filebackend/FSFileBackend.php:722 → FSFileBackend::doExecuteOpHandlesInternal(array $fileOpHandles)
Fortify description Abstract:

Line 722 in FSFileBackend.php calls popen() to execute a command. This might allow an attacker to inject malicious commands.

Functions sending data to affected function

None specified

Manual code inspection $fileOpHandle->cmd is in deed fed to popen unsanitized, however no trace exists where user input is fed to this function.

When sanitizing the input here, the programmer loses flexibility in passing arguments to the command (s)he wishes to execute. Therefore the sanitization should perhaps be performed by the caller.

Verdict False positive
Verdict comments The caller of the function is responsible for santization for flexibility reasons. No attack vectors are given.


Level Medium
Message Cross-Site Scripting (1 warning)
ASVS Category V5: Input Validation
Function causing warning
  • includes/GlobalFunctions.php:2176 → print
Fortify description Abstract:

In GlobalFunctions.php, the program uses HTML, XML or other type of encoding that is not always enough to prevent malicious code from reaching the web browser.

Functions sending data to affected function
  • includes/AjaxDispatcher.php:76 → AjaxDispatcher::__construct()
Manual code inspection htmlspecialchars is used, which sanitizes <, > and double quotes. It does not, however, sanitize single quotes without the ENT_QUOTES flag set.

When using htmlspecialchars without ENT_QUOTES for printing user-supplied data one must be very careful not to use this within attributes enclosed with single quotes, or else an attacker may break out of the attribute and inject javascript code. In this particular case the user-supplied data is printed in the body and not within an html tag. Therefore escaping < and > is sufficient.

Verdict False positive
Verdict comments Would be better to pass the ENT_QUOTES flag to htmlspecialchars as a code convention.


Level Medium
Message Cross-Site Scripting (1 warning)
ASVS Category V5: Input Validation
Function causing warning
  • extensions/SyntaxHighlight_GeSHi/geshi/contrib/cssgen.php:461 → echo
Fortify description Abstract:

In cssgen.php, the program uses HTML, XML or other type of encoding that is not always enough to prevent malicious code from reaching the web browser.

Functions sending data to affected function
  • extensions/SyntaxHighlight_GeSHi/geshi/contrib/cssgen.php:122 → get_var($var_name)
  • extensions/SyntaxHighlight_GeSHi/geshi/contrib/cssgen.php:124 → get_var($var_name)
Manual code inspection The default-styles GET variable is obtained and, along with other values, appended to the stylesheet variable.

The stylesheet is then echo'ed without proper input sanitation. Fortunately wikimedia takes appropriate measures by setting the HttpOnly flag on session cookies by default. However, an attacker may be able to bypass this when method TRACE is enabled by the http server mediawiki is running on.

Verdict Vulnerable
Verdict comments Proof of concept:

[1]


Level Medium
Message Cross-Site Scripting (1 warning)
ASVS Category V5: Input Validation
Function causing warning
  • extensions/SyntaxHighlight_GeSHi/geshi/contrib/example.php:175 → echo
Fortify description Abstract:

In example.php, the program uses HTML, XML or other type of encoding that is not always enough to prevent malicious code from reaching the web browser.

Functions sending data to affected function
  • extensions/SyntaxHighlight_GeSHi/geshi/contrib/example.php:30 → get_var
  • extensions/SyntaxHighlight_GeSHi/geshi/contrib/example.php:175 → global scope
Manual code inspection htmlspecialchars is used, which sanitizes <, > and double quotes. It does not, however, sanitize single quotes without the ENT_QUOTES flag set.

When using htmlspecialchars without ENT_QUOTES for printing user-supplied data one must be very careful not to use this within attributes enclosed with single quotes, or else an attacker may break out of the attribute and inject javascript code. In this particular case the user-supplied data is printed in the body and not within an html tag. Therefore escaping < and > is sufficient.

Verdict False positive
Verdict comments Would be better to pass the ENT_QUOTES flag to htmlspecialchars as a code convention.


Level Medium
Message Cross-Site Scripting (1 warning)
ASVS Category V5: Input Validation
Function causing warning
  • includes/GlobalFunctions.php:2176 → print
Fortify description Abstract:

In GlobalFunctions.php, the program uses HTML, XML or other type of encoding that is not always enough to prevent malicious code from reaching the web browser.

Functions sending data to affected function
  • includes/AjaxDispatcher.php:76 → AjaxDispatcher::__construct()
Manual code inspection htmlspecialchars is used, which sanitizes <, > and double quotes. It does not, however, sanitize single quotes without the ENT_QUOTES flag set.

When using htmlspecialchars without ENT_QUOTES for printing user-supplied data one must be very careful not to use this within attributes enclosed with single quotes, or else an attacker may break out of the attribute and inject javascript code. In this particular case the user-supplied data is printed in the body and not within an html tag. Therefore escaping < and > is sufficient.

Verdict False positive
Verdict comments Would be better to pass the ENT_QUOTES flag to htmlspecialchars as a code convention.