3 ## 2.1 Verify that all private pages are indeed private
4 All admin pages are private. Unpublished posts are also private.
6 However, the install submission page does not do any authentication at all,
7 allowing any user to reset the database and claim an admin account.
9 User pages can be viewed and submitted by any authenticated user.
19 Changing a user's password does not require the original password.
25 ## 2.13 Password storage security
26 Password are stored in database using the PHP function `crypt`. Internally, this
27 functions uses salted MD5. This is way too easy to brute-force.
29 Instead use `argon2` or the `password_hash` function.
35 The app allows admin users to log in over HTTP. This is insecure. Force HTTPS
36 for the admin_controller and for the installation script.
43 No anti-automation measures are deployed.
45 Needed for email validation, installation database check, login, comment
63 - `Users::find` is vulnerable to SQL injection.
64 - The default admin password is generated using a Mersenne Twister, which is
65 not cryptographically secure.
66 - Verification of hash equality in login is not done in constant time.