Software Security/Group 2/Code Scanning/CodeSecure

Uit Werkplaats
Ga naar: navigatie, zoeken

After running CodeSecure (with a license) on the phpBB2 web application the tool reported about 2500 different possible vulnerabilities. Most of these vulnerabilities are not important to us however, since we are only focusing on Output Encoding/Escaping for SQL.

We will not go into detail about the pros and cons of the tool. For a detailed review of the tool please head over to the evaluation page.

Below are the results of the 41-hour-scan we ran on a laptop using CodeSecure 4.2.0. This page is divided into three sections: a summary of the findings of the scan followed by the settings used in running the scan, and the last part lists the number of vulnerabilities CodeSecure found in each category it distinguishes.

Scan Summary

Duration Did not complete
Scanned Files 101
Scanned Lines 43,130
Entry Points 62
Vulnerable Entry Points 24
Resulting Vulnerabilities 2,571
Vulnerable Statements 53
Vulnerable Files 16
5 Most vulnerable entry points
Path Filename Vuln# Warnings
/phpBB2/ install.php 470 4
/phpBB2/ groupcp.php 296 0
/phpBB2/ modcp.php 286 0
/phpBB2/admin/ admin_forums.php 253 0
/phpBB2/admin/ admin_styles.php 128 2

Scan Settings

Most of the following data comes directly from the report CodeSecure generated after running the scan.

CodeSecure's settings
Scan Type immediate
Policy Name Default Policy
Tainted Source Type(s) Web Request,Property Configuration,XML,File,Network Input,Web Service,Database,Command Line Arguments,Private,Hard-coded Value,System Environment,Exception Handling,Console,Window Form,Session,Pattern,None
Vulnerability Modules Cross-Site Scripting|HTTP Response Splitting|XPath Injection|Resource Injection|File Inclusion|SQL Injection|Blind SQL Injection|Command Injection|Hard-Coded Password|Struts Validator Config|API Abuse|Information|Leak of System Data|LDAP Injection|Open Redirect|Tag Injection|CRLF Injection|Code Injection|Risky Cryptographic Algorithm|Insecure Randomness|Log Forging|Obsolete Functions|Session Variable Poisoning|Information Leak Through Log Files
Traceback Setting One most vulnerable traceback
Merge Unknown No
Used hardware
CPU Intel Core i5 460M
RAM 4 GB
HDD 500 GB

Vulnerability Specification

Vulnerability Type Vulnerable Statement Resulting Vulnerability
CRLF Injection 1 5
Resource Injection 2 4
File Inclusion 8 849
HTTP Response Splitting 18 33
SQL Injection 1 229
Risky Cryptographic Algorithm 5 534
Cross-Site Scripting 18 917

With the above table go the following charts, all of which are taken from CodeSecure's report as well.

CodeSecureCharts.png


CodeSecure SQL analysis

Below we will give a short description of the relevant vulnerabilities found by CodeSecure

page 10-11 XSS Tainted Database

Constant CONFIG_TABLE gets defined by previously taitned variable $table_prefix. This constant is used in an SQL query ("SELECT * FROM ". CONFIG_TABLE). Data from this query is added to a string that is output to the page.

page 31-32 CRLF Injection, email address from tainted database

SQL contains previously tainted $group_id variable and is executed. Field from database set as email address in email interpreter.

page 34 Email address from tainted database

SQL contains previously tainted $group_id variable and is executed. Field from database set as email address in email interpreter.

page 37-38 Resource injection with data with data from tainted database

SQL contains previously tainted $group_id variable and is executed. Field from database is used in variable declaration. This variable is used in fopen statement.

page 39 Resource injection tainted database

Field from tainted database is used in fopen statement.

page 42 Cross side scripting (tainted database)

Tainted database data is output to HTML

page 47-50 File inclusion with data from tainted database

Data from tainted is used in variable $template_name, this variable is used in include statement.

page 52-53 File inclusion (tainted database)

page 57-58 File inclusion (tainted database)

page 60-61 File inclusion (tainted database)

page 80 HTTP Response Splitting (tainted database)

Header location is changed with data from tainted database

page p92-98 Cross side scripting (tainted database)

Data from sql database is output to HTML