Software Security/Group 4/Verdict
Uit Werkplaats
< Software Security | Group 4
Nr | Verification Requirement | Pass/Fail | Comment |
---|---|---|---|
V7 | Cryptography | ||
V7.1 | Verify that all cryptographic functions used to protect secrets from the application user are implemented server side. | Pass | There are no client side scripts that protect secrets from the user. |
V7.2 | Verify that all cryptographic modules fail securely. | Pass | There are no cryptographic 'modules' used. However only cryptographic function used (md5) does not provide error handling but it is very unlikely that it will fail. |
V7.3 | Verify that access to any master secret(s) is protected from unauthorized access (A master secret is an application credential stored as plaintext on disk that is used to protect access to security configuration information). | Pass | Not sure if this should be pass. See elaboration. |
V7.4 | Verify that password hashes are salted when they are created. | Fail | See elaboration. |
V7.5 | Verify that cryptographic module failures are logged. | Fail | The is no logging implemented in phpBB2, however there are no real cryptographic 'modules' used, see V7.2 |
V7.6 | Verify that all random numbers, random file names, random GUIDs, and random strings are generated using the cryptographic module's approved random number generator when these random values are intended to be unguessable by an attacker. | Fail | The random number generators used ('mt_rand', 'rand', 'microtime' and 'uniqid' - or combination of those) are all not cryptographically secure. Given that 'rand' in combination with 'microtime' is used in profile.php to generate a "random" password, it does not pass this requirement. |
V9 | Data Protection | ||
V9.1 | Verify that all forms containing sensitive information have disabled client side caching, including autocomplete features. | Fail | Autocomplete features for message body and message titles are not turned off. Also see elaboration. |
V9.2 | Verify that the list of sensitive data processed by this application is identified, and that there is an explicit policy for how access to this data must be controlled, and when this data must be encrypted (both at rest and in transit). Verify that this policy is properly enforced. | Fail | No data protection policy is defined in the documentation. The only information that could be seen as security guidelines are these: Guidelines. |
V9.4 | Verify that all cached or temporary copies of sensitive data sent to the client are protected from unauthorized access or purged/invalidated after the authorized user accesses the sensitive data (e.g., the proper no-cache and no-store Cache-Control headers are set). | Fail | There are almost no cache control HTTP headers set by phpBB2 (only one in the database backup script). So any headers needed to satisfy this requirement should be added in the server configuration. Since there is no documentation on how to accomplish this, and by default the server configuration is insecure, we consider this requirement as failed. |
V9.5 | Verify that all cached or temporary copies of sensitive data stored on the server are protected from unauthorized access or purged/invalidated after the authorized user accesses the sensitive data. | Pass | The only caching mechanism implemented in phpBB2 is the template cache. Since there is (normally) no sensitive information in template files, and by default no other is caching is done on the server, we can say that this requirement is satisfied. |
V10 | Communication Security | ||
V10.1 | Verify that a path can be built from a trusted CA to each Transport Layer Security (TLS) server certificate, and that each server certificate is valid. | N/A | phpBB2 does not have to check this. See elaboration. |
V10.2 | Verify that failed TLS connections do not fall back to an insecure connection. | N/A | phpBB2 does not have to check this. See elaboration. |
V10.3 | Verify that TLS is used for all connections (including both external and backend connections) that are authenticated or that involve sensitive data or functions. | Fail | phpBB2 does not do this. See elaboration. This is the requirement where it should be checked. |
V10.4 | Verify that backend TLS connection failures are logged. | N/A | phpBB2 does not have to check this. See elaboration. Related to 10.2 and 10.3. Should be done by backend server. |
V10.5 | Verify that certificate paths are built and verified for all client certificates using configured trust anchors and revocation information. | N/A | phpBB2 does not have to check this. See elaboration. |
V10.6 | Verify that all connections to external systems that involve sensitive information or functions are authenticated. | N/A | phpBB2 does not have to do this. See elaboration. |
V10.7 | Verify that all connections to external systems that involve sensitive information or functions use an account that has been set up to have the minimum privileges necessary for the application to function properly. | N/A | phpBB2 does not have to check this. See elaboration. |
V11 | HTTP Security | ||
V11.1 | Verify that redirects do not include unvalidated data. | Fail | On line 83 of login.php, a HTTP POST variable (named redirect) is directly passed as a part of the Location header. Since this variable is not validated and is part of the redirect header, this requirement fails. |
V11.2 | Verify that the application accepts only a defined set of HTTP request methods, such as GET and POST. | Fail | See elaboration. |
V11.3 | Verify that every HTTP response contains a content type header specifying a safe character set (e.g., UTF-8). | Fail | There are no Content-Type headers set by phpBB2 (defining the encoding). However, a Content-Type HTML Meta tag is given with the character set iso-8859-1. This is not a complete replacement for a correct Content-Type header. Also, this HTTP header could be set by the web server. |
V11.4 | Verify that the HTTPOnly flag is used on all cookies that do not specifically require access from JavaScript. | Fail | The setcookie function calls do not contain the HTTPOnly boolean parameter (it was added in PHP 5.2.0, and defaults to false if absent). |
V11.5 | Verify that the secure flag is used on all cookies that contain sensitive data, including the session cookie. | Pass | The board_config file allows one to determine whether a secure flag should be set or not, and this is used in all setcookie function calls, and determines whether https:// or http:// is used in server protocol. |
V11.6 | Verify that HTTP headers in both requests and responses contain only printable ASCII characters. | Fail | On line 83 of login.php, a HTTP POST variable (named redirect) is directly passed as a part of the Location header. This variable could contain all sorts of unprintable character (although these might be filtered by the web server). |
Source: OWASP