SoftwareSecurity2013/Group 6/ScanStats
Results Within Scope
Captcha Randomness
The captcha extension uses mt_rand() heavily for deciding what symbols to place inside the captchas. The name of the captcha image file is related by a hash of the contents of the captcha hashed with some random numbers. While the use of a PRNG that is not of cryptographic quality would certainly make it easier to predict what that random number is, an attacker would still have to guess the possible contents of the captchas as well, in order to find a hash pre-image in order to defeat the captcha.
Without a formal analysis, it is difficult to say how unpredictable the captchas are, but there is likely sufficient entropy that successful guessing would be rare enough that manual removal of the resulting SPAM would not be a significant burden. We mark them as Irrelevant. (Erik: I agree with your analysis here. I don't see that a cryptographically strong random number generator would be needed for producing captcha's)
wfGenerateToken deprecated
This function uses insecure random numbers to protect a session, which is semi-cryptographic. It is listed as deprecated so it would be nice to know if any code uses it. As it happens, RATS is extremely good at this type of query and it tells us that the function is not used anywhere in the PHP code base. It should be safe to remove at any time.
Most Randomness False Positives
The non-cryptographic PRNG functions used in mediawiki are used mostly in order that they can carry out scheduling, load-balancing, and other functions that require work to happen on a fairly predictable, periodic basis. One application was to randomly sample session information.
Javascript
Javascript is complicated to analyze because of it's event-oriented nature, we are saving a couple of them for further analysis.
MD5 and SHA1
The popular ignorance surrounding the MD5 and SHA-1 collisions is unfortunate. While it is the case the MD5 has come under very successful attack over recent years, the success was in undermining its collision resistance, not pre-image resistance. We exclude any use of MD5 that depend on pre-image resistance, which to our knowledge remains intact. That accounts for all of the "Weak Cryptographic Hash" messages. (Erik: Good point! Too many people think that all uses of MD5 are insecure)
Cryptographic Algorithms
Notably absent are messages about the use of weak encryption schemes. This is a positive sign.
Tool Comparison
Verified / False Positives
- COUNT (Verified Positive)
- COUNT (False Positive)
- False Positive Rate
- Verified Positive
- COUNT (Positive, but OK)
Common Results
When using multiple tools to approach a problem, it is natural to compare the results to see what, if anything they agree on. In our case, we used two runs of Fortify with different methods of input and RATS.
Command Injection
It could be called either way: they could all be called false positives because of the context in which the server runs or real positives because they point something out that could be improved. RATS caught them because it flags every external file execution unconditionally. Fortify is a bit more intelligent about it, but still flags them in the presence of a valid mitigation. We chose to call them positives.
The PATH dependency argument is correct, but for the setting in which the server runs, the user cannot manipulate the PATH of the scripts that are run by the web server. The user can manipulate the PATH for the interactive scripts but since they execute as the calling user, manipulating their behavior does not escalate a local user's privileges.
While these are technically positives and the code could be improved, they are not exploitable because of the particular way that the application is likely to be deployed. A common solution to this class of vulnerability is to set the search path environment variable to a known safe value, as is commonly done in set-uid shell scripts on UNIX systems. The Fortify scanner does not detect that the search path is no longer tainted when this technique is applied and only relents when the shell command begins with a "/" character.
Functions
The "Code Injection' vulnerability is called out against line 2804 of GlobalFunctions.php because it eventually gets called with information from an environment variable. This is ridiculous: it would be like calling the unlink() library function incorrect because there is a program linked against libc that calls unlink() with tainted data. In this case, the program calling it is a utility that is executed from the command line, with the privileges of the executing user. This is a false positive and possibly a bug.
Filename | Line Number | Status | Notes |
---|---|---|---|
includes/GlobalFunctions.php | 2804 | False Positive | Part of a function used to execute shell commands |
includes/GlobalFunctions.php | 2906 | Positive | external program invocation: user-supplied parameters escaped, path to executable is not defined. |
includes/GlobalFunctions.php | 2918 | Positive | external program invocation: user-supplied parameters escaped, path to executable is not defined. |
includes/GlobalFunctions.php | 2980 | False Positive | A function is being blamed because it is called with what appears to be tainted data. |
includes/MimeMagic.php | 882 | Positive | external program invocation: user-supplied parameters escaped, path to executable is not defined. |
maintenance/fuzz-tester.php | 2426 | Positive | function tidyCheckFile() does not check parameter one of its parameters. This PHP file is not executable by default and the file passed to tidy command (which checks whether HTML is valid) is constructed without use of any user-provided data. Fortify automatically marks anything executed without a full path as suspect because it assumes that the PATH variable can be manipulated. In the case of PHP running under a web server, it cannot. |
maintenance/mwdocgen.php | 152 | Positive | no full path |
maintenance/mwdocgen.php | 287 | Positive | no full path |
maintenance/populateImageSha1.php | 101 | Positive | no full path |
maintenance/proxy_check.php | 45 | Positive | no full path |
maintenance/storage/checkStorage.php | 412 | Positive | no full path |
Scanner Statistics
Overall Percentages
False Positives | Irrelevant | Positive | Unknown | Total | |
---|---|---|---|---|---|
Fortify Scan 1 | 96.56% | 3.27% | 0.15% | 0.02% | 8275 |
Fortify Scan 2 | 96.27% | 3.57% | 0.14% | 0.02% | 8300 |
RATS | 2.61% | 88.24% | 3.92% | 5.23% | 153 |
Foritfy Scan #1
Type | False Positives | Irrelevant | Positive | Unknown | Total |
---|---|---|---|---|---|
Password Management | 7883 | 34 | 0 | 0 | 7917 |
Weak Cryptographic Hash | 87 | 23 | 0 | 0 | 110 |
Insecure Randomness | 0 | 88 | 4 | 2 | 94 |
System Information Leak | 1 | 29 | 0 | 0 | 30 |
Command Injection | 0 | 17 | 6 | 0 | 23 |
Possible Variable Overwrite | 0 | 15 | 0 | 0 | 15 |
Cookie Security | 0 | 14 | 0 | 0 | 14 |
Cross-Site Request Forgery | 0 | 12 | 0 | 0 | 12 |
Dangerous File Inclusion | 10 | 2 | 0 | 0 | 12 |
JavaScript Hijacking | 0 | 9 | 1 | 0 | 10 |
Cross-Site Scripting | 0 | 8 | 0 | 0 | 8 |
SQL Injection | 7 | 0 | 0 | 0 | 7 |
Hidden Field | 0 | 6 | 0 | 0 | 6 |
PHP Misconfiguration | 1 | 3 | 0 | 0 | 4 |
Path Manipulation | 0 | 4 | 0 | 0 | 4 |
Privilege Management | 0 | 4 | 0 | 0 | 4 |
Dynamic Code Evaluation | 0 | 1 | 1 | 0 | 2 |
Code Correctness | 1 | 0 | 0 | 0 | 1 |
Header Manipulation | 0 | 1 | 0 | 0 | 1 |
Privacy Violation | 0 | 1 | 0 | 0 | 1 |
Totals | 7990 | 271 | 12 | 2 | 8275 |
Fortify Scan #2
type | False Positives | Irrelevant | Positive | Unknown | Total |
---|---|---|---|---|---|
Password Management | 7884 | 34 | 0 | 0 | 7918 |
Weak Cryptographic Hash | 87 | 23 | 0 | 0 | 110 |
Insecure Randomness | 0 | 88 | 4 | 2 | 94 |
System Information Leak | 1 | 29 | 0 | 0 | 30 |
Dangerous File Inclusion | 10 | 18 | 0 | 0 | 28 |
Command Injection | 0 | 18 | 6 | 0 | 24 |
Possible Variable Overwrite | 0 | 15 | 0 | 0 | 15 |
Cookie Security | 0 | 13 | 0 | 0 | 13 |
Cross-Site Request Forgery | 0 | 12 | 0 | 0 | 12 |
Cross-Site Scripting | 0 | 11 | 0 | 0 | 11 |
SQL Injection | 7 | 4 | 0 | 0 | 11 |
JavaScript Hijacking | 0 | 9 | 1 | 0 | 10 |
Hidden Field | 0 | 6 | 0 | 0 | 6 |
Path Manipulation | 0 | 5 | 0 | 0 | 5 |
Privilege Management | 0 | 4 | 0 | 0 | 4 |
Dynamic Code Evaluation | 0 | 1 | 1 | 0 | 2 |
Header Manipulation | 0 | 2 | 0 | 0 | 2 |
Resource Injection | 0 | 2 | 0 | 0 | 2 |
Code Correctness | 1 | 0 | 0 | 0 | 1 |
Open Redirect | 0 | 1 | 0 | 0 | 1 |
Privacy Violation | 0 | 1 | 0 | 0 | 1 |
Totals | 7990 | 296 | 12 | 2 | 8300 |
RATS
These "vulnerabilities" are nothing more than a list of functions that the RATS authors have concluded are bad to use. Their idea is apparently that an auditor should look at every instance of a dangerous function and determine that it is or is not used properly.
type | False Positives | Irrelevant | Positive | Unknown | Total |
---|---|---|---|---|---|
fopen | 0 | 69 | 0 | 0 | 69 |
compile | 3 | 19 | 0 | 0 | 22 |
is_dir | 0 | 12 | 0 | 0 | 12 |
is_file | 0 | 8 | 0 | 0 | 8 |
Backtick | 0 | 3 | 3 | 0 | 6 |
fsockopen | 0 | 4 | 0 | 1 | 5 |
popen | 0 | 4 | 1 | 0 | 5 |
uniform | 0 | 0 | 0 | 4 | 4 |
passthru | 0 | 1 | 2 | 0 | 3 |
eval | 0 | 2 | 0 | 0 | 2 |
gzopen | 0 | 2 | 0 | 0 | 2 |
is_readable | 0 | 2 | 0 | 0 | 2 |
is_writable | 0 | 2 | 0 | 0 | 2 |
0 | 2 | 0 | 0 | 2 | |
randint | 0 | 0 | 0 | 2 | 2 |
stat | 0 | 2 | 0 | 0 | 2 |
chdir | 0 | 1 | 0 | 0 | 1 |
is_link | 0 | 1 | 0 | 0 | 1 |
pfsockopen | 0 | 1 | 0 | 0 | 1 |
randrange | 0 | 0 | 0 | 1 | 1 |
system | 1 | 0 | 0 | 0 | 1 |
Totals | 4 | 135 | 6 | 8 | 153 |