SoftwareSecurity2012/Group 5/Code Scanning

Uit Werkplaats
< SoftwareSecurity2012‎ | Group 5
Versie door Rafael Carpi (overleg | bijdragen) op 9 apr 2013 om 21:18 (Versie 221956 van Rafael Carpi (overleg) ongedaan gemaakt.)
(wijz) ← Oudere versie | Huidige versie (wijz) | Nieuwere versie → (wijz)
Ga naar: navigatie, zoeken

This page contains the raw results of the code scanning. For our reflection and the conclusions, please read the reflection.

RIPS

These results are at level 1 (user tainted). At level 4, we didn't find any other vulnerabilities that were worth noting here.

Summary

  • Header Injection: 1
  • File Inclusion: 2
  • File Manipulation: 6
  • SQL Injection: 2
  • Total: 11

Analysis

install.php

  • File manipulation
    1. False positive. Random file name is written to and then deleted. No way to insert a filename to be modified
    2 & 3. Operations only done on new database. Could possible suffer from resource depletion attack if used to create many new databases. Problematic if malicious user has access to the install file (and can duplicate this)
  • File inclusion (all)
    Only problematic if using language files that cannot be trusted. If using the language files that come with the installation, no problem is present
  • File manipulation
    False positive. Random file name is written to and then deleted. No way to insert a filename to be modified
  • File manipulation
    False positive. Random file name is written to and then deleted. No way to insert a filename to be modified
  • SQL injection
    allows opening of arbitrary databases with read and write rights. Only problematic if username and password are known (which indicates a larger problem)

login.php
In login.php, there's once the warning "Userinput reaches sensitive sink" and once the warning "Userinput is passed through function parameters". In the first one, this is a false positive. The data from functions.php is copied into the mail-command. When the permissions are as they should be, the functions.php, which functions more or less like a config.php file, is only writable by administrators. Copying these constants isn't harmless as we see.

The second one is also a false positive. For this one, the RIPS output isn't enough to conclude this. RIPS tell us:

125: $email = strtolower(trim($_POST['req_email']));

Before this, also to be seen in RIPS, stripslashes() is used on $email. Stripping slashes doesn't validate the e-mail address. The e-mail address is validated on lines 126 and 127. RIPS tells us that before the mail command is used, $errors must be empty. When the e-mail address is not valid, an error is added to $errors.


db_update.php and profile.php
The feedback received is a message with the type of vulnerability (in both cases "Userinput reaches sensitive sink"). Also included is the function that uses the vulnerable data and where in the code the vulnerability can be exploited, including line numbers, which makes it very easy to locate the vulnerable code. The vulnerability found in db_update.php seems to be of interest for the requirements we are checking (V2.1).

db_update.php

False positive. The userinput is only used to perform checks.

profile.php
False positive. The userinput is sanitized.

admin_loader.php
False positive. At line 22 the path is checked with a regex and it's not possible to pass any path that contains 'special' characters.

admin_users.php

The method does not check whether the $user_id contains a path seperator. It appears, however, that the variable is coming from an array of user_ids and this one is 'checked' by casting it to int. It would be better if the variable was checked in the method itself (of with a cleaner method). It might be possible that an error is made somewhere else in the code, since the method is referenced in a few other files, allowing arbirtrary files to be deleted. We couldn't find such a file.

RATS

Summary

  • Warning level 1: 12 warnings
  • Warning level 2: 16 warnings
  • Warning level 3: 76 warnings

Analysis

./db_update.php:648: High: fopen
./extern.php:441: High: fopen
./include/cache.php:29: High: fopen
./include/cache.php:57: High: fopen
./include/cache.php:85: High: fopen
./include/cache.php:130: High: fopen
./include/cache.php:192: High: fopen
./include/cache.php:228: High: fopen
./include/cache.php:257: High: fopen
./include/functions.php:2020: High: fopen
./install.php:1715: High: fopen

False positives. The arguments passed to fopen are sanitized and do not lead to vulnerabilities.

./include/email.php:256: High: mail

False positive. All arguments are sanitized.

./admin_index.php:55: Medium: is_readable

False positive. The function is called on a file in /proc so it can be considered safe.

./include/dblayer/sqlite.php:49: Medium: is_readable

False positive. The check does not result in a vulnerability.

./include/email.php:305: Medium: fsockopen

False positive. The data comes from a safe source, namely the configuration file.

./include/functions.php:2012: Medium: is_dir

False positive. The check does not result in a vulnerability.

./admin_bans.php:12: Low: dirname
./admin_categories.php:12: Low: dirname
./admin_censoring.php:12: Low: dirname
./admin_forums.php:12: Low: dirname
./admin_groups.php:12: Low: dirname
./admin_index.php:12: Low: dirname
./admin_loader.php:12: Low: dirname
./admin_maintenance.php:14: Low: dirname
./admin_options.php:12: Low: dirname
./admin_permissions.php:12: Low: dirname
./admin_ranks.php:12: Low: dirname
./admin_reports.php:12: Low: dirname
./admin_users.php:12: Low: dirname
./db_update.php:37: Low: dirname
./db_update.php:791: Low: dirname
./delete.php:9: Low: dirname
./edit.php:9: Low: dirname
./extern.php:60: Low: dirname
./help.php:12: Low: dirname
./include/utf8/utf8.php:33: Low: dirname
./index.php:9: Low: dirname
./install.php:23: Low: dirname
./install.php:135: Low: dirname
./login.php:12: Low: dirname
./misc.php:12: Low: dirname
./moderate.php:9: Low: dirname
./post.php:9: Low: dirname
./profile.php:9: Low: dirname
./register.php:9: Low: dirname
./search.php:12: Low: dirname
./userlist.php:9: Low: dirname
./viewforum.php:9: Low: dirname
./viewtopic.php:9: Low: dirname

False positives. The argument passed to all of these calls are from safe sources, i.e. __FILE__ and $_SERVER['SCRIPT_NAME'].

./db_update.php:648: Low: fopen
./extern.php:441: Low: fopen
./include/cache.php:29: Low: fopen
./include/cache.php:57: Low: fopen
./include/cache.php:85: Low: fopen
./include/cache.php:130: Low: fopen
./include/cache.php:192: Low: fopen
./include/cache.php:228: Low: fopen
./include/cache.php:257: Low: fopen
./install.php:1715: Low: fopen

False positives. All arguments passed to these functions are either from safe sources or properly sanitized.

./db_update.php:1863: Low: unlink
./include/cache.php:279: Low: unlink
./include/functions.php:678: Low: unlink
./include/functions.php:758: Low: unlink
./profile.php:385: Low: unlink
./profile.php:392: Low: unlink

False positives. All arguments passed to these functions are either from safe sources or properly sanitized/checked.

./header.php:56: Low: basename
./header.php:161: Low: basename
./include/email.php:140: Low: basename
./include/functions.php:1242: Low: basename
./include/functions.php:1361: Low: basename
./include/parser.php:679: Low: basename

False positives. None of these calls can lead to vulnerabilities.

./include/cache.php:218: Low: is_dir

False positive. This check does not lead to a vulnerability.


./include/functions.php:1695: Low: is_dir

False positive. This check does not lead to a vulnerability.

./include/cache.php:219: Low: file

False positive. This call does not result in a vulnerability.

./profile.php:398: Low: rename

False positive. This call does not result in a vulnerability.

./profile.php:399: Low: chmod

False positive. This call does not result in a vulnerability.