SoftwareSecurity2013/Group 5/Code Scanning

Uit Werkplaats
Ga naar: navigatie, zoeken

The results are divided by source code analysis tool. First, the analysis results of RATS are presented, followed by the results from Fortify (only the results in scope, the results out of scope from Fortify can be found in here: Fortify Level1B OutOfScope).

RATS

Issue #V3-0001 report
Severity Medium
Message fsockopen: 5 warnings
ASVS Category V3 Session management
Function causing warning File: ./includes/filebackend/lockmanager/LSLockManager.php:196->getConnection( $lockSrv )
RATS description Abstract:

Argument 1 to this function call should be checked to ensure that it does not come from an untrusted source without first verifying that it contains nothing dangerous. Explanation: This function manages locks using a lock daemon server. Apparently some class’ attributes are holding some values for communication security such as session ids. First, an array ‘lockServers’ is keeping important data about the connection,another attribute called $session is managing HTTP sessions with randomness using SHA-1 128 bits.

Functions sending data to affected function Function isServerUp( $lockSrv ) Lines:151-152

Function sendCommand( $lockSrv, $action, $type, $values ) Lines: 164-165

Function causing warning
  • WebRequest.php:627
  • WebRequest.php:630
  • WebRequest.php:634
Manual code inspection None.
Verdict False positive.
Verdict comments None.


Issue #V10-0001 report
Severity High
Message fopen
ASVS Category V10: Communication Security
Function causing warning File: ./includes/HttpFunctions.php Lines: 870 Function : execute()->809
RATS description Abstract:

Argument 1 to this function call should be checked to ensure that it does not come from an untrusted source without first verifying that it contains nothing dangerous. Explanation: Function fopen() is binding a named resource, specified by filename, to a stream. A lot of these warnings have been skipped for working with text files, so they are not included in our levels. Principally in this function we must to highlight when SSL protocol is used. The developer is responsible to catch some fatal errors with Microsoft IIS, because IIS will violate the protocol by closing the connection without sending a right packet. Anyway all requirements are achieved. Logging,CA verification,authentication.

Functions sending data to affected function WebRequest.php:938 → doSecurityRedirect()
Function causing warning
  • WebRequest.php:627
  • WebRequest.php:630
  • WebRequest.php:634
Manual code inspection Some exceptions are not cached, so if it was an IIS server with a URL over SSL:// ,then PHP could produce this kind of general warnings.This information is clearly in PHP website .It would be interesting to throw specific exception for this problem.
Verdict False positive.
Verdict comments Interesting to check out Microsoft ISS’ exceptions to improve the code.




Issue #V10-0002 report
Severity Medium
Message fsockopen: 5 warnings
ASVS Category V10: Communication Security
Function causing warning File: ./extensions/ConfirmEdit/recaptchalib.php:80->_recaptcha_http_post(...)
RATS description Abstract:

Argument 1 to this function call should be checked to ensure that it does not come from an untrusted source without first verifying that it contains nothing dangerous. Explanation: Submits an HTTP POST to a reCAPTCHA server of google, depending on use HTTP/HTTPS is redirecting to google server with SSL or without. To verification check lines out 112-113 (if ( $use_ssl ))

Functions sending data to affected function Function recaptcha_check_answer(...) Lines:152
Manual code inspection Not required.
Verdict False positive.
Verdict comments None



Issue #V11-0001 report
Severity Medium
Message fsockopen: 5 warnings
ASVS Category V11: HTTP Security
Function causing warning File: ./includes/ZhClient.php:62->connect():59
RATS description Abstract:

Argument 1 to this function call should be checked to ensure that it does not come from an untrusted source without first verifying that it contains nothing dangerous. Explanation: Zhdaemon and zhclient are client/server structure. This code is creating HTTP connections with queries by client to server

Functions sending data to affected function Function __construct( $host, $port ) Lines: 37
Manual code inspection Zhdaemon and zhclient can be done over HTTP without authentication.
Verdict False positive.
Verdict comments Simple HTTP connection


Issue #V11-0002 report
Severity Medium
Message fsockopen: 5 warnings
ASVS Category V11: HTTP Security
Function causing warning File: ./includes/objectcache/MemcachedClient.php:717-719->_connect_sock(..)
RATS description Abstract:

Argument 1 to this function call should be checked to ensure that it does not come from an untrusted source without first verifying that it contains nothing dangerous.Explanation: pfsockopen is practically the same that fsockopen but with persistent connection.

Functions sending data to affected function Function _connect_sock( &$sock, $host )
Verdict False positive.
Verdict comments Simple connection by sockets. False positive.

Fortify

Issue #V11-0003 report
Level Critical
Message Open Redirect (3 warnings)
ASVS Category V11: HTTP Security
Function causing warning WebRequest.php:938 → doSecurityRedirect()
Fortify description Abstract:

The file WebRequest.php passes unvalidated data to an HTTP redirect function on line 938. Allowing unvalidated input to control the URL used in a redirect can aid phishing attacks. The data is sent at header() in WebRequest.php at line 938.

Functions sending data to affected function WebRequest.php:938 → doSecurityRedirect()
Function causing warning
  • WebRequest.php:627
  • WebRequest.php:630
  • WebRequest.php:634
Manual code inspection The function in line 938 is contained in the doSecurityRedirect() function, and the objective of this function is to provide a URL redirect for Microsoft Internet Explorer 6 (IE6). This function does not set a safe character type in the Content-type HTTP response header. The URL passed to this function is checked by the IEUrlExtension::fixUrlForIE6() function. Further inspection of fixUrl- ForIE6() sanitization should be performed.
Verdict Code needs revision. It did not pass the verification require- ment V11.3.
Verdict comments A safe character set in the Content-type HTTP header should be set (even if IE6 does not support it).


Issue #V11-0004 report
Level High
Message Header manipulation (3 warnings)
ASVS Category V11: HTTP Security
Function causing warning WebRequest.php:938 → doSecurityRedirect()
Fortify description Abstract:

The method doSecurityRedirect () in WebRequest.php includes unvalidated data in an HTTP response header on line 938. This enables attacks such as cache poisoning, cross-site scripting , cross-user defacement , page hijacking , cookie manipulation or open redirect.

Functions sending data to affected function Duplicate of issue #V11-0003.
Manual code inspection Duplicate of issue #V11-0003.
Verdict Duplicate of issue #V11-0003.
Verdict comments Duplicate of issue #V11-0003.


Issue #V11-0005 report
Level High
Message Header manipulation: Cookies (1 warning)
ASVS Category V11: HTTP Security
Function causing warning SeleniumWebSettings.php:57 → setCookie()
Fortify description Abstract:

Including unvalidated data in an HTTP response header can enable cache-poisoning , cross -site scripting , cross -user defacement , page hijacking , cookie manipulation or open redirect.

Functions sending data to affected function
  • SeleniumWebSettings.php:44
Manual code inspection This function is defined in a .php file which implements the functions providing the following functionality (as written in the file header): ”Dynamically change configuration variables based on the test suite name and a cookie value.” The purpose of the setCookie() call is for selecting a test application which will change configuration settings of the MediaWiki application, so the contents of the HTTP communication will be considered as sensitive. A $wgCookieSecure field is included in this cookie for se- curity purposes. The HTTP header from the GET request $ GET[’setupTestSuite’] is checked against a Regex for only allowing printable ASCII chars.
Verdict False positive.
Verdict comments None.