Software Security/Group 9/Code Scanning
Foreword
The focus of Group 9 is V2: Authentication Verification Requirement. According to ASVS 2009, Automatical Code Scan at Level 1B only works for V2.1 and V2.2. Most of verification works need Manual Code Review at Level 2B. This is evidenced in some sense that even though we have got many vulnerabilities reports from these scanner tools, there is little information related to this particular requirement. Erik: Good point! This might be due to the fact that the code scanners used are static analyzers, while authentication is dynamic in nature. Running instances are most likely needed for automatic analyzers to give a good result. Erik: I'd say the real reason is that authentication will be done by custom code written for this, and a dumb static analysis tool cannot hope to understand how that works - let alone, spot any flaws in the program logic. For some of the other security issues there are standard mistakes - or at least standard API calls and entry points into the application - that a static analyzer can look for. Therefore, we plan to run the phpBB2 and do manual code review for the future work.
We tried these following tools for the automatic detection phase, with varying degree of success: Pixy, PHP-SAT, RATS, SWAAT, Yasca, CodeScan, CodeSecure, and Fortify.
Raw Results
Our raw results obtained from the tools are documented here.
Comments
Yasca
- YASCA works well on Windows 7, but there is some problem with phplint plugin, other plugins are OK.
- The scan report from YASCA is not well formated so it is a bit difficult to find related entries. There are only two authentication related finding in the report, which are about weak credentials, but it seems that these are false positives.
- The first one is found in the file install.php, on line 232: $ftp_user = ( !empty($HTTP_POST_VARS['ftp_user']) ) ? $HTTP_POST_VARS['ftp_user'] : ""; The second one is found in the file admin_user.php, on line 71: $username = ( !empty($HTTP_POST_VARS['username']) ) ? trim(strip_tags( $HTTP_POST_VARS['username'] ) ) : ;
- YASCA thinks "The username match the password", while it's not that case actually.
CodeScan
- Since CodeScan focuses on SQL injection detection, we didn't get any results strongly connected to V2.
- It gets 1026 vulnerability entries in total. Among them, 15 findings are labeled with "Authorization and Authentication" which maybe related to Authentication.
- By some trivial manual review, we think some of them are false positive entries, as these code only execute during the installation phase (most of them are shown in install.php file) and won't be problems for a running phpBB instance.
- While there are still some SQL injection vulnerabilities labeled with "Authorization and Authentication - SQL Server Hard-coded Password Use with odbc_connect" which maybe related to Authentication, but we haven't checked the code in depth.
RATS
- By default, the program should recursively visit all directories under current working directory. At least under Linux program failed. Script was build to automate batching for each PHP file.
- For every file, program prints statistics from the vulnerability database it uses. This will obfuscate found vulnerabilities from the output. Parsing the needed information is left for the user. Parsing the output can be fortunately eased by scripting.
- Concentrates to check unsafe functions by doing a statical code analysis.
- Has three different warning levels shown in output: low, medium and high.
- Apparently there are switches which are not covered by the man page or the Fortify's RATS web page. Therefore more convenient way to run the program is: rats --columns --noheader --nofooter --quiet --context phpBB2es. This also removes dependency to the script.
Fortify
- Fortify is a versatile tool, it finds more vulnerabilities information related to V2 Authentication than most other tools.
- There are 12 entries labeled with "Password Management: Empty password" in the High category. But these seem to be false positives as phpBB2 clearly doesn't use empty passwords. There are also some false positive findings in the Low category. There are 10 entries for "Password Management: Password in comment", which we believe to be incorrect.
- In the Low category, Fortify found 14 issues related to "Cookie Security": "HTTPonly not set" and "persistent cookie", which may be of a considerable interest for V2.