SoftwareSecurity2013/Group 2/Verdict
V4: Access Control
V4.1 Verify that users can only access protected functions for which they possess specific authorization.
UNKNOWN: It is hard to see if this requirement is met with Fortify. In Fortify you cannot see if the authorization is forgotten to mention or it is accessible for everyone.
So to check if it is all met you are required to check the whole code. The code is very large, so we have checked limited PHP-files. We did only the files in the map 'bp-activity'.
We did not find any authorization requirements by all of those protected/private functions. (Erik: Did you not find anything wrong with the authorisation or did you not find any authorisation? I'm not sure what bp-activity does,but an alternative way to look at parts of the code would be to check for certain `protected' functionalities where access control seems necessary - say deleting content in buddypress - and then checking if & where the access control checks (e.g. to see if you only delete your own content etc.) are in place and make sense.)
V4.2 Verify that users can only access URLs for which they possess specific authorization.
UNKNOWN: Fortify cannot check if the code for authorization is forgotten or everyone may see the content of the url. That is way this it is hard to see if this requirement is passed. The code of Buddypress is too large to search in the code manually, so we limited the analyse to the map 'bp-activity' and all the containing files. When we searched manually we did not found anything wrong. (Erik:Did you have a specific reason to pick bp-activity? How big a part of the overall code was bp-activity? Based on the fact that you found nothing wrong in bp-activity one can try to make some conclusion about the overall code - of course, you can never be sure that the other code is just as good or bad, but by saying the percentage of the code bp-activity covers one can get some impression of how reliable a conclusion based on such a partial review is. )
V4.3 Verify that users can only access data files for which they possess specific authorization.
UNKNOWN: Also this requirements requires a specific authorization like in requirement v4.1 and V4.2, so this requirement has the same problem as those two requirements. We were required to search for problems manually and searched in the same map as in requirement v4.2. In this case we did not find anything that was wrong.
V4.4 Verify that direct object references are protected, such that only authorized objects are accessible to each user.
PASS: Fortify gives some possible occurences where the attack can occur, however, there is some for of validation done by BuddyPress. There is one instance, that we could find, when the $_COOKIE is not validated one. However, this only affects the flow when creating a new group.
V4.6 Verify that users can only access services for which they possess specific authorization.
PASS/DONT KNOW: BuddyPress uses functions to check if a user has the necessary credentials to access the services. Sometimes these functions depend on 'module' dependent functions that are found within the plugin itself. If BuddyPress as a whole uses this strategy everywhere, then we can be certain it passes this requirement. However, not every function has been verified manually by us, and it also gets the do not know verdict.
V4.7 Verify that users can only access data for which they possess specific authorization.
PASS: See V4.6. BuddyPress uses functions to check the credentials of the user before gaining access to certain information.
V4.8 Verify that access controls fail securely.
UNKNOWN: Buddypress verifies that user has access rights on the server side. It is hard to say if all access controlls are checked, the code depend on calling certain check functions before important actions.
V4.9 Verify that the same access control rules implied by the presentation layer are enforced on the server side.
UNKNOWN: Buddypress does not show admin controlls to users, and checks for admin access right. There is however no clear overview of all functionality and required access rights.
V4.10 Verify that all user and data attributes and policy information used by access controls cannot be manipulated by end users unless specifically authorized.
UNKNOWN: This is completely impossible to check. Fortify gives no clear errors on this and given the use global accessors in buddypress to access all data it's impossible to say if no code anywhere leaks information or allows edits.
V4.11 Verify that all access controls are enforced on the server side.
PASS We used Fortify to show only the problems occurring in Javascript-files, so client-side. This revealed some problems regarding session cookies, which they could improve by protecting them with HttpOnly. But since only 25% of all websites does this, we still regard this as safe, since there are are checks on the server side as well.
V4.12 Verify that there is a centralized mechanism (including libraries that call external authorization services) for protecting access to each type of protected resource.
PASS: There is a centralized mechanism, but Buddypress relies on Wordpress for this as well. In our opinion, this is centralized enough to make it pass.
V4.13 Verify that limitations on input and access imposed by the business on the application (such as daily transaction limits or sequencing of tasks) cannot be bypassed
NOT SURE: We're not sure if this requirement is met by just using static code analysis. It's hard to find out what limitations on input and access were imposed by the business, since we don't know the requirements. You could try to find them out yourself, with assistance from an application fuzzer for example. Unfortunately, we had no time to try this out during the review project.
V4.14 Verify that all access control decisions can be logged and all failed decisions are logged.
PASS: Buddypress contains a centralized logging and error handling systems. Parts of code regarding access control all make use of these systems, so this verification requirement is met.
V9: Data Protection
V9.1 Verify that all forms containing sensitive information have disabled client side caching, including autocomplete features.
FAIL: To prevent client side cache autocompleting the value in a inputfield can be done using the autocomplete="off" property. When this property is added no autocompleting will be done. In the login the autocomplete="off" is not used for the username and password. The browser does not autocomplete password fields, but for the username he will. This makes it possible for potential attackers to find usernames of user who have logged in to this website. In the default template off buddypress the register page allows autocompletion, making it possible to find registered usernames.
V9.2 Verify that the list of sensitive data processed by this application is identified, and that there is an explicit policy for how access to this data must be controlled, and when this data must be encrypted (both at rest and in transit). Verify that this policy is properly enforced.
PASS: In buddypress there are two kinds of sensitive data login data and communication between users. We checked both groups and we found that the sensitive data is handled securely.
V9.4 Verify that all cached or temporary copies of sensitive data sent to the client are protected from unauthorized access or purged/invalidated after the authorized user accesses the sensitive data (e.g., the proper no-cache and no-store Cache-Control headers are set).
UNKNOWN: No sensitive data gets chached in the buddypress system. The login function of buddypress uses the login functionality of wordpress which we did not validate because this is out of the scope of the project.
V9.5 Verify that all cached or temporary copies of sensitive data stored on the server are protected from unauthorized access or purged/invalidated after the authorized user accesses the sensitive data.
UNKNOWN: We don't know if the login functionality of buddypress is totally secure. It uses a lot of the functionality of wordpress wich we did not validate because it was out of scope of the project.