Software Security/Group 3/Verdict
Uit Werkplaats
< Software Security | Group 3
Verification Requirement
Nr | Verification Requirement | Explanation/Verdict | Judgement |
---|---|---|---|
V8.1 | Verify that that the application does not output error messages or stack traces containing sensitive data that could assist an attacker, including session id and personal information. | There is some error handling implemented but personal information can leak. For more information on how phpBB outputs error messages click here. | Fail |
V8.2 | Verify that all server side errors are handled on the server. | Comments | Fail |
V8.3 | Verify that all logging controls are implemented on the server. | Comments | Fail |
V8.4 | Verify that error handling logic in security controls denies access by default | Error handling logic is not protected in-depth against unprivileged users | Fail |
V8.5 | Verify security logging controls provide the ability to log both success and failure events that are identified as security-relevant. | There is no such thing as error logging to file. Either the system reports the error directly or does nothing. | Fail |
V8.6 | Verify that each log event includes:
|
This point is not satisfied, because this version of phpBB2 completely lacks logging. So instead, we analysed the 'logging to screen' which does happen sometimes. Unfortunately even for this most of the requirements mentioned are not satisfied. Click here to read the details. | Fail |
V8.7 | Verify that all events that include untrusted data will not execute as code in the intended log viewing software. | Since no logs kept, this requirement is trivially satisfied Erik: shouldn't it be a pass then ? :-) Niels: The four logging requirements which are not applicable due to the lack of any logging all trivially pass. So, yes, they pass, but these issues really do not apply to phpBB, therefore we chose to uniformly judge these issues not applicable across the project. | N/A |
V8.8 | Verify that security logs are protected from unauthorized access and modification. | Since the log files are not saved to a file it holds for all log files that they're protected from unauthorized access and modification. | N/A |
V8.9 | Verify that there is a single logging implementation that is used by the application. | There is one common die() mechanism (message_die() ) which is a good start. However, output is not sent to a logfile but to the browser. This makes it impossible to audit the log, which is unforgivable. |
Fail |
V8.10 | Verify that that the application does not log application-specific sensitive data that could assist an attacker, including user’s session ids and personal or sensitive information. | Since no logs are kept, this requirement is trivially satisfied | N/A |
V8.11 | Verify that a log analysis tool is available which allows the analyst to search for log events based on combinations of search criteria across all fields in the log record format supported by this system. | No such tool is available quite simply because no logs are being kept. | Fail |
V8.12 | Verify that all code implementing or using error handling and logging controls is not affected by any malicious code. | Not applicable to level 2B, since it requires level >= 4. | N/A |
Other Comments
Nr | Title | Comments |
---|---|---|
1 | die | phpbb uses the function die to prevent unauthorised non including gets. The problem with this is that tools like nikto could distinguish between a 404 and an existing but non permitted page. This may lead to version number enumeration. |
2 | maximum size 0x800000 | Fatal error: Allowed memory size of 8388608 bytes exhausted (tried to allocate 1000008 bytes) in /opt/lampp/htdocs/phpbb/includes/functions_post.php on line 106 |
Over the course of the manual code scan it has become apparent that phpBB uses the function message_die to report errors and simple messages to users. Error messages generated this way typically leak some information about the (installation of) the system. A list of all references made to this function is available here . This list reveals that this function is used throughout the entire project. In debug mode even more information is revealed, but this should be disabled during normal operation.