Software Security/Group 3/Verdict

Uit Werkplaats
Ga naar: navigatie, zoeken

Verification Requirement

Nr Verification Requirement Explanation/Verdict Judgement
V8.1 Verify that that the application does not output error messages or stack traces containing sensitive data that could assist an attacker, including session id and personal information. There is some error handling implemented but personal information can leak. For more information on how phpBB outputs error messages click here. Fail.png Fail
V8.2 Verify that all server side errors are handled on the server. Comments Fail.png Fail
V8.3 Verify that all logging controls are implemented on the server. Comments Fail.png Fail
V8.4 Verify that error handling logic in security controls denies access by default Error handling logic is not protected in-depth against unprivileged users Fail.png Fail
V8.5 Verify security logging controls provide the ability to log both success and failure events that are identified as security-relevant. There is no such thing as error logging to file. Either the system reports the error directly or does nothing. Fail.png Fail
V8.6 Verify that each log event includes:
  1. a time stamp from a reliable source,
  2. severity level of the event,
  3. an indication that this is a security relevant event (if mixed with other logs),
  4. the identity of the user that caused the event (if there is a user associated with the event),
  5. the source IP address of the request associated with the event
  6. whether the event succeeded or failed, and
  7. a description of the event.
This point is not satisfied, because this version of phpBB2 completely lacks logging. So instead, we analysed the 'logging to screen' which does happen sometimes. Unfortunately even for this most of the requirements mentioned are not satisfied. Click here to read the details. Fail.png Fail
V8.7 Verify that all events that include untrusted data will not execute as code in the intended log viewing software. Since no logs kept, this requirement is trivially satisfied Erik: shouldn't it be a pass then ? :-) Niels: The four logging requirements which are not applicable due to the lack of any logging all trivially pass. So, yes, they pass, but these issues really do not apply to phpBB, therefore we chose to uniformly judge these issues not applicable across the project. Excl.png N/A
V8.8 Verify that security logs are protected from unauthorized access and modification. Since the log files are not saved to a file it holds for all log files that they're protected from unauthorized access and modification. Excl.png N/A
V8.9 Verify that there is a single logging implementation that is used by the application. There is one common die() mechanism (message_die()) which is a good start. However, output is not sent to a logfile but to the browser. This makes it impossible to audit the log, which is unforgivable. Fail.png Fail
V8.10 Verify that that the application does not log application-specific sensitive data that could assist an attacker, including user’s session ids and personal or sensitive information. Since no logs are kept, this requirement is trivially satisfied Excl.png N/A
V8.11 Verify that a log analysis tool is available which allows the analyst to search for log events based on combinations of search criteria across all fields in the log record format supported by this system. No such tool is available quite simply because no logs are being kept. Fail.png Fail
V8.12 Verify that all code implementing or using error handling and logging controls is not affected by any malicious code. Not applicable to level 2B, since it requires level >= 4. Excl.png N/A

Other Comments

Nr Title Comments
1 die phpbb uses the function die to prevent unauthorised non including gets. The problem with this is that tools like nikto could distinguish between a 404 and an existing but non permitted page. This may lead to version number enumeration.
2 maximum size 0x800000 Fatal error: Allowed memory size of 8388608 bytes exhausted (tried to allocate 1000008 bytes) in /opt/lampp/htdocs/phpbb/includes/functions_post.php on line 106


Over the course of the manual code scan it has become apparent that phpBB uses the function message_die to report errors and simple messages to users. Error messages generated this way typically leak some information about the (installation of) the system. A list of all references made to this function is available here . This list reveals that this function is used throughout the entire project. In debug mode even more information is revealed, but this should be disabled during normal operation.