SoftwareSecurity2013/Group 5/Code Scanning
The results are divided by source code analysis tool. First, the analysis results of RATS are presented, followed by the results from Fortify (only the results in scope, the results out of scope from Fortify can be found in here: Fortify Level1B OutOfScope).
RATS
Severity | Medium |
---|---|
Message | fsockopen: 5 warnings |
ASVS Category | V3 Session management |
Function causing warning | File: ./includes/filebackend/lockmanager/LSLockManager.php:196->getConnection( $lockSrv ) |
RATS description | Abstract:
Argument 1 to this function call should be checked to ensure that it does not come from an untrusted source without first verifying that it contains nothing dangerous. Explanation: This function manages locks using a lock daemon server. Apparently some class’ attributes are holding some values for communication security such as session ids. First, an array ‘lockServers’ is keeping important data about the connection,another attribute called $session is managing HTTP sessions with randomness using SHA-1 128 bits. |
Functions sending data to affected function | Function isServerUp( $lockSrv ) Lines:151-152
Function sendCommand( $lockSrv, $action, $type, $values ) Lines: 164-165 |
Function causing warning |
|
Manual code inspection | None. |
Verdict | False positive. |
Verdict comments | None. |
Severity | High |
---|---|
Message | fopen |
ASVS Category | V10: Communication Security |
Function causing warning | File: ./includes/HttpFunctions.php Lines: 870 Function : execute()->809 |
RATS description | Abstract:
Argument 1 to this function call should be checked to ensure that it does not come from an untrusted source without first verifying that it contains nothing dangerous. Explanation: Function fopen() is binding a named resource, specified by filename, to a stream. A lot of these warnings have been skipped for working with text files, so they are not included in our levels. Principally in this function we must to highlight when SSL protocol is used. The developer is responsible to catch some fatal errors with Microsoft IIS, because IIS will violate the protocol by closing the connection without sending a right packet. Anyway all requirements are achieved. Logging,CA verification,authentication. |
Functions sending data to affected function | WebRequest.php:938 → doSecurityRedirect() |
Function causing warning |
|
Manual code inspection | Some exceptions are not cached, so if it was an IIS server with a URL over SSL:// ,then PHP could produce this kind of general warnings.This information is clearly in PHP website .It would be interesting to throw specific exception for this problem. |
Verdict | False positive. |
Verdict comments | Interesting to check out Microsoft ISS’ exceptions to improve the code. |
Severity | Medium |
---|---|
Message | fsockopen: 5 warnings |
ASVS Category | V10: Communication Security |
Function causing warning | File: ./extensions/ConfirmEdit/recaptchalib.php:80->_recaptcha_http_post(...) |
RATS description | Abstract:
Argument 1 to this function call should be checked to ensure that it does not come from an untrusted source without first verifying that it contains nothing dangerous. Explanation: Submits an HTTP POST to a reCAPTCHA server of google, depending on use HTTP/HTTPS is redirecting to google server with SSL or without. To verification check lines out 112-113 (if ( $use_ssl )) |
Functions sending data to affected function | Function recaptcha_check_answer(...) Lines:152 |
Manual code inspection | Not required. |
Verdict | False positive. |
Verdict comments | None |
Severity | Medium |
---|---|
Message | fsockopen: 5 warnings |
ASVS Category | V11: HTTP Security |
Function causing warning | File: ./includes/ZhClient.php:62->connect():59 |
RATS description | Abstract:
Argument 1 to this function call should be checked to ensure that it does not come from an untrusted source without first verifying that it contains nothing dangerous. Explanation: Zhdaemon and zhclient are client/server structure. This code is creating HTTP connections with queries by client to server |
Functions sending data to affected function | Function __construct( $host, $port ) Lines: 37 |
Manual code inspection | Zhdaemon and zhclient can be done over HTTP without authentication. |
Verdict | False positive. |
Verdict comments | Simple HTTP connection |
Severity | Medium |
---|---|
Message | fsockopen: 5 warnings |
ASVS Category | V11: HTTP Security |
Function causing warning | File: ./includes/objectcache/MemcachedClient.php:717-719->_connect_sock(..) |
RATS description | Abstract:
Argument 1 to this function call should be checked to ensure that it does not come from an untrusted source without first verifying that it contains nothing dangerous.Explanation: pfsockopen is practically the same that fsockopen but with persistent connection. |
Functions sending data to affected function | Function _connect_sock( &$sock, $host ) |
Verdict | False positive. |
Verdict comments | Simple connection by sockets. False positive. |
Fortify
Level | Critical |
---|---|
Message | Open Redirect (3 warnings) |
ASVS Category | V11: HTTP Security |
Function causing warning | WebRequest.php:938 → doSecurityRedirect() |
Fortify description | Abstract:
The file WebRequest.php passes unvalidated data to an HTTP redirect function on line 938. Allowing unvalidated input to control the URL used in a redirect can aid phishing attacks. The data is sent at header() in WebRequest.php at line 938. |
Functions sending data to affected function | WebRequest.php:938 → doSecurityRedirect() |
Function causing warning |
|
Manual code inspection | The function in line 938 is contained in the doSecurityRedirect() function, and the objective of this function is to provide a URL redirect for Microsoft Internet Explorer 6 (IE6). This function does not set a safe character type in the Content-type HTTP response header. The URL passed to this function is checked by the IEUrlExtension::fixUrlForIE6() function. Further inspection of fixUrl- ForIE6() sanitization should be performed. |
Verdict | Code needs revision. It did not pass the verification require- ment V11.3. |
Verdict comments | A safe character set in the Content-type HTTP header should be set (even if IE6 does not support it). |
Level | High |
---|---|
Message | Header manipulation (3 warnings) |
ASVS Category | V11: HTTP Security |
Function causing warning | WebRequest.php:938 → doSecurityRedirect() |
Fortify description | Abstract:
The method doSecurityRedirect () in WebRequest.php includes unvalidated data in an HTTP response header on line 938. This enables attacks such as cache poisoning, cross-site scripting , cross-user defacement , page hijacking , cookie manipulation or open redirect. |
Functions sending data to affected function | Duplicate of issue #V11-0003. |
Manual code inspection | Duplicate of issue #V11-0003. |
Verdict | Duplicate of issue #V11-0003. |
Verdict comments | Duplicate of issue #V11-0003. |
Level | High |
---|---|
Message | Header manipulation: Cookies (1 warning) |
ASVS Category | V11: HTTP Security |
Function causing warning | SeleniumWebSettings.php:57 → setCookie() |
Fortify description | Abstract:
Including unvalidated data in an HTTP response header can enable cache-poisoning , cross -site scripting , cross -user defacement , page hijacking , cookie manipulation or open redirect. |
Functions sending data to affected function |
|
Manual code inspection | This function is defined in a .php file which implements the functions providing the following functionality (as written in the file header): ”Dynamically change configuration variables based on the test suite name and a cookie value.” The purpose of the setCookie() call is for selecting a test application which will change configuration settings of the MediaWiki application, so the contents of the HTTP communication will be considered as sensitive. A $wgCookieSecure field is included in this cookie for se- curity purposes. The HTTP header from the GET request $ GET[’setupTestSuite’] is checked against a Regex for only allowing printable ASCII chars. |
Verdict | False positive. |
Verdict comments | None. |