Software Security/Group 9/Verification Results

Uit Werkplaats
Ga naar: navigatie, zoeken


Verification Results

For overview of the verdicts, see our Verdict on the security requirements page.

Level 1B

V2.1 Verify that all pages and resources require authentication except those specifically intended to be public

Verdict: Fail

Anyone can view memberlist, grouplist and user profiles (should not intend to be public) without authentication. Files in the "contrib" and "docs" folder which contain information about site configuration can be accessed without authentication, these files should be deleted after installation.

Risk: Medium

This is clearly a threat to privacy and might be of some help when doing other kind of attacks.

Fix: Force authentication on the above-mentioned pages.

V2.2 Verify that all password fields do not echo the user’s password when it is entered, and that password fields (or the forms that contain them) have autocomplete disabled

Verdict: Fail

Password fields indeed do not echo user's password. However, autocomplete for password cannot be disabled. (Enable 'remember password' in Firefox will automatically remember the crendential.)

Risk: Low

Autocompletion might increase the risk of unauthorized access, however autocompletion is usually done with user's consent (via browser's setting).

Fix:

Disable autocomplete using autocomplete=off property or other techniques.

Level 2B

V2.3 Verify that if a maximum number of authentication attempts is exceeded, the account is locked for a period of time long enough to deter brute force attacks

Verdict: Fail

After dozen of failed login attempts nothing happened. Test lasted about ten minutes. Manual inspection of the code confirms that no lock down is done.

Risk: High

No lock down poses a very high risk to brute force attacks.

Fix:

Impose lock down mechanism.

V2.4 Verify that all authentication controls are enforced on the server side

Verdict: Pass

No client side implementation for authentication control purpose is identified from code review.

V2.5 Verify that all authentication controls (including libraries that call external authentication services) have a centralized implementation

Verdict: Pass

Authentication implementation is centralized in /includes/auth.php. auth will be used for view topic, post topic etc. the phpbb users' access control lists are stored in database.

V2.6 Verify that all authentication controls fail securely

Verdict: Pass

The result of authentication is defined in login.php. When the authentication controls fail, the login operation will not succeed, and related information will be given. Cases includes wrong username, wrong password, board closing, etc.


Risk: High

Revealing information such as "Wrong password" will indicate that users exists in the system. Same equals for board closing etc.

Fix:

Hide debug and error messages from users. Use of logging is preferred.

V2.7 Verify that the strength of any authentication credentials are sufficient to withstand attacks that are typical of the threats in the deployed environment

Verdict: Fail

The only requirement of the password is that it should not be an empty string; passwords are stored as unsalted md5 hashes

Risk: High

Fix: Require "strong" password, use salted hash

V2.8 Verify that all account management functions are at least as resistant to attack as the primary authentication mechanism

Verdict: Fail

User can get access to admin panel by bypass the admin authentication with modifying cookie. caused by /include/session.php.

Risk: High

Fix: This is due to comparing with "==", which does not check the type of the operands. An easy fix will be changing "==" into "==="

V2.9 Verify that users can safely change their credentials using a mechanism that is at least as resistant to attack as the primary authentication mechanism

Verdict: Fail

Though the password stored in phpbb2 server is hashed by md5, all the credentials are sent in clear text over network, thus can be easily monitored and modified by others who captured the packets.

Risk: High

Fix: Encrypt messages before sending through network

V2.10 Verify that re-authentication is required before any application-specific sensitive operations are permitted

Verdict: Fail

Except changing password, everything else doesn't require re-authentication, including administrative actions

Risk: Medium

Fix: Require re-authentication before any application-specific sensitive operations

V2.11 Verify that after an administratively-configurable period of time, authentication credentials expire

Verdict: Fail

phpbb2 does not provide this function for administrator. After logging in once, the credentials will be valid till log out or close.

Risk: Medium

Fix: Introduce time-out

V2.12 Verify that all authentication decisions are logged

Verdict: Fail

phpBB2 did not provide logging facility for the admin. Administrator can only see logs if he/she is capable to read HTTP-server log files. Apache provides access log, which tracks accessed resources in the server. False login attempts were not tracked.

Risk: Medium

Fix: Log all authentication decisions

V2.13 Verify that account passwords are salted using a salt that is unique to that account (e.g., internal user ID, account creation) and hashed before storing

Verdict: Fail

Passwords are not salted, users with the same passwords will have the same hash.

Risk: High

Fix: Salt the account passwords using identifier unique to an account

V2.14 Verify that all authentication credentials for accessing services external to the application are encrypted and stored in a protected location (not in source code)

Verdict: Fail

Password for accessing the database is saved unencrypted in config.php

Risk: High

Fix: Store authentication credentials in an encrypted form in a protected location