report/authentication/checklist.md

   1 # Authentication
   2
   3 ## 2.1 Verify that all private pages are indeed private
   4 All admin pages are private. Unpublished posts are also private.
   5
   6 However, the install submission page does not do any authentication at all,
   7 allowing any user to reset the database and claim an admin account.
   8
   9 User pages can be viewed and submitted by any authenticated user.
  10
  11 ## 2.2
  12 ## 2.3
  13 ## 2.4
  14 ## 2.5
  15 ## 2.6
  16 ## 2.7
  17 ## 2.8
  18 ## 2.9
  19 Changing a user's password does not require the original password.
  20
  21 ## 2.10
  22 ## 2.11
  23 ## 2.12
  24
  25 ## 2.13 Password storage security
  26 Password are stored in database using the PHP function `crypt`. Internally, this
  27 functions uses salted MD5. This is way too easy to brute-force.
  28
  29 Instead use `argon2` or the `password_hash` function.
  30
  31 ## 2.14
  32 ## 2.15
  33
  34 ## 2.16
  35 The app allows admin users to log in over HTTP. This is insecure. Force HTTPS
  36 for the admin_controller and for the installation script.
  37
  38 ## 2.17
  39 ## 2.18
  40 ## 2.19
  41
  42 ## 2.20
  43 No anti-automation measures are deployed.
  44
  45 Needed for email validation, installation database check, login, comment
  46 submissions, etc.
  47
  48 ## 2.21
  49 ## 2.22
  50 ## 2.23
  51 ## 2.24
  52 ## 2.25
  53 ## 2.26
  54 ## 2.27
  55 ## 2.28
  56 ## 2.29
  57 ## 2.30
  58 ## 2.31
  59 ## 2.32
  60 ## 2.33
  61
  62 ## Other
  63 - `Users::find` is vulnerable to SQL injection.
  64 - The default admin password is generated using a Mersenne Twister, which is
  65   not cryptographically secure.
  66 - Verification of hash equality in login is not done in constant time.