SoftwareSecurity2014/Group 4/Code Scanning

Uit Werkplaats
Ga naar: navigatie, zoeken

V5 LEVEL 1B - INPUT VALIDATION VERIFICATION REQUIREMENTS ON MIBEW

V5.1 Verify that the runtime environment is not susceptible to buffer overflows, or that security controls prevent buffer overflows.
V5.2 Verify that a positive validation pattern is defined and applied to all input.

Tool : RATS (Rough Auditing Tool for Security)

We scanned mibew using the following command on RATS: rats --quiet --xml -w 3. It cost us 0.126819 second to scan the mibew project. The RATS result scanned 11704 lines of mibew project. The detailed result of the RATS scan can be seen on table below:

Threat Level Number of Threats What causes threats
High 2 fopen, mail
Medium 0 -
Low 37 is_dir, fixed size local buffer, fileperms, is_readable, is_file

RATS discovered low level of vulnerabilities caused by “fixed size local buffer” or “dirname” which is related to race condition. Furthermore, RATS also found the vulnerabilities of “fileperms”, “is_readable”, “is_dir”, and “is_file” which are related to potential TOCTOU (Time of Check, Time of Use) vulnerabilities. TOCTOU is also known as one of the common race condition problem. Race condition is the behaviour where the output is dependent on the sequence of other events. Therefore, race condition is not part of the Input Validation vulnerability in web application. In general, the race condition could cause some input validation problem if some data was changed in between the validation time and the used time. However, it was hardly happened in a PHP application. Even though it's happened, most likely it was caused by the bug inside the Apache, since Apache also using a C code in its API.


Tool : HP Fortify

We scanned mibew using Fortify Audit Workbench. Regarding to the results, it detects 3757 vulnerabilities. These problems can be categorized into low level (102), medium level (2862), high level (52) and critical level (741). The vulnerabilities results which can be used for Input Validation verification are Cross-Site Scripting (Persistent, Poor Validation, Reflected); Header Manipulation; Often Misused File Uploaded, Open Redirect, and Path Manipulation. Mibew uses “safe_htmlspecialchars” as a validation pattern for its input.

Comparison: RATS (Rough Auditing Tool for Security) vs Fortify Result Fortify and RATS can gives different type of vulnerabilities for the same line of code, as an example for the translate.php line 88. Fortify result in Critical level vulnerability which related to the “fopen” vulnerability as follow: “Attackers can control the filesystem path argument to fopen() at translate.php line 88, which allows them to access or modify otherwise protected files.” While RATS gives result for that line as Low level vulnerability which related to the “fixed size local buffer” or “dirname” vulnerability. Based on this result, Fortify result is more useful for the V5 requirements, because RATS result is mainly focused on the race condition vulnerability.

In addition, there is still a chance for a false positive result in Fortify. For instance, in “b.php” line 58, Fortify resulted in a usage of “fopen” which is categorized as a Critical level. However, when we analyze that usage, we conclude that this fopen did not actually has a vulnerability because of before hand validation controls. Therefore, it is still needed to analyze the code flow thoroughly before we conclude the code has a vulnerabilities.


Category Source File Lines Sink Verdict
Cross-Site Scripting: Persistent notification.php 24, 32, 40, 48, 63 getlocal, sanitize_string False Positive
35, 51 safe_htmlspecialchars False Positive
57 prepare_html_message False Positive
62 $mibew_root False Positive
performance.php 27, 34, 45, 49, 54, 58, 63, 67, 72, 76, 81, 85, 90, 94 getlocal False Positive
permissions.php 27, 34 getlocal False Positive
resetpwd.php 33,37,40,55,60,68,76,88,94,98 getlocal False Positive
restore.php 33,37,40,52,57,64,76,82 getlocal False Positive
group.php 28, 31, 39, 51, 55, 60, 64, 69, 73, 78, 82, 87, 91 getlocal False Positive
groups.php 31, 41, 42, 52, 54, 56, 58, 76, 80, 82, 95, 106, 117 getlocal, $mibewroot, getlocalforJS False Positive
login.php 30, 37, 42, 49, 57, 69, 78 getlocal, $mibewroot, getlocalforJS False Positive
settings.php 27, 34, 45, 49, 54,58 getlocal False Positive
statistics.php 25,41,47,69,94 getlocal False Positive
themes.php 27,38,44,61,64 getlocal False Positive
update.php 145 echo "<threads revision=\"$revision\" time=\"" . time() . "000\">"; True Positive
users.php 51,53,60...66,79,89,91 25,36,37,40 getlocal False Positive
ban.php 24,40 getlocal2 False Positive
Header Manipulation operator.php 87, 100 header("Location: ...) False Positive
opgroups.php 71 header("Location: ...) False Positive
groupmembers.php 71 header("Location: ...) False Positive
group.php 100, 104 header("Location: ...) False Positive
login.php 44 header("Location: ...) False Positive
canned.php 113 header("Location: ...) False Positive
Cross-Site Scripting: Poor Validation performance.php 47, 56, 65, 74, 83, 92 form_value False Positive
permissions.php 39, 45, 49, 56 safe_htmlspecialchars False Positive
resetpwd.php 40 urlencode False Positive
49, 50 safe_htmlspecialchars False Positive
restore.php 66 form_value False Positive
group.php 44, 53, 62, 71, 80, 89, 96 form_value False Positive
groupmembers.php 27, 34, 39, 45, 50 ,51, 52, 58 safe_htmlspecialchars, getlocal False Positive
groups.php 71, 72, 76, 88, 89, 94 safe_htmlspecialchars False Positive
login.php 51, 75 safe_htmlspecialchars, form_value, getlocal False Positive
notification.php 35, 51, 57 safe_htmlspecialchars, prepare_html_message False Positive
Path Manipulation translate.php 24,35,60,74,81 echo, fopen True Positive
avatar.php 66, 68 unlink, move_uploaded_file True Positive


From the table above, we might concluded that the warnings was caused by several functions. Those functions are getlocal(), safe_htmlspecialchars(), prepare_html_message(), sanitize_string(). When we checked into this functions manually, we found out that these function was doing the blacklisting validation. Therefore, we conclude that the fortify warnings regarding these functions was false positive.

During our analysis on level 2B, we found a false negative from the Fortify result. When we did the checking for the Fortify warning about the HTTP response header on operator.php line 87, which we found that the parameter already validated using intval, we decided to also check the line 86. That line was using the function create_operator function. We did analyze the create_operator more thoroughly and find that it using the deprecated PHP function which is mysql_real_escape_string(). The function mysql_real_escape_string() will sanitize the input from several of special character (\x00, \n, \r, \', ", \x1a). However, this function is still vulnerable against SQL injection because it doesn't include all the character needed for preventing from SQL injection. Moreover, all the SQL queries in mibew was not done under prepared statement. Without saying that by using prepared statement will guarantee the security against SQL injection, but without using it will open more possibilities to SQL injection.

In conclusion, RATS result also provided us with the Input Validation vulnerability. However, compared to Fortify result, it’s only resulted in limited type and amount of vulnerability. Most of the RATS result are also revealed on the Fortify scan result.