3 \subsection{Fortify's results, summarized
}
5 Fortify's results can be summarized to the following:
7 \begin{enumerate
}[label=(
\Alph*)
]
8 \item 50 cases of
\XSS{} vurnerabilities, all labeled
\textbf{critical
}, because none of the
\CMS{}'s forms include nonces / protection against
\XSS{} is indeed missing.
9 \item \textbf{Password management
}. In a user password reset form in
\code{reset.php
}, if the resetting fails, the password the user just entered reappears in the password field. This is not a database-retrieved password, and hence not actually as
\textbf{critical
} as Fortify labels it, but of course bad practice nonetheless.
10 \item In the
\textbf{privacy violation
} category, Fortify found errors and warnings printed back to the browser, and labelled it
\textbf{critical
}. However, this happens in the installer script, which we have decided to treat separately, as explained earlier.
11 \item \textbf{\SQL{} injection
} attacks are possible on the installer script, labelled
\textbf{critical
}. Yet again: the installer script.
12 \item \textbf{Cookie security
}: the
\code{HttpOnly
} header is not set, labelled
\textbf{high
}.
13 \item \textbf{Privacy violation
}:
\HTML{} forms don't disable autocompletion. Labelled
\textbf{high
}. However, autocompletion of
\HTML{} forms by means of the
\code{autocompletion="none"
} attribute notoriously doesn't really work. The larger problem is that the post/redirect/get pattern is not followed, as stated above at our analysis of OWASP requirement (
9.1).
14 \item Fortify complains that
\PHP{}'s
\code{crypt(...)
} function is
\textbf{weak encryption
} and labels the
5 usages
\textbf{high
}.
20 The main point that must be observed is that all the above results are quite low-level of nature. The majority of the OWASP ASVS requirements are of a more high-level nature. Two good examples are:
23 \item[V4.9
] Verify that the same access control rules implied by the presentation layer are enforced on the server side. \\
24 (
\textit{The
\CMS{} failed this requirement in our analysis.
})
25 \item[V5.17
] Verify that the application has defenses against
\HTTP{} parameter pollution attacks, particularly if the application framework makes no distinction about the source of request parameters (
\GET{},
\POST{}, cookies, headers, environment, etc.. \\
26 (
\textit{The
\CMS{} passed this requirement in our analysis.
})
29 For this reason, Fortify was nowhere near able to identifying all the problems we found in the
\CMS{}. An overview of our findings, where Fortify's concurrences are outlined explicitly, is given by the table below.
32 \newcommand{\p}{{\color{lightgray
}\pass}}
33 \newcommand{\X}{\fail}
34 \setlength\fboxrule{1pt
}
35 \setlength\fboxsep{4pt
}
38 \boxed{\textrm{#2}}$^
{\,
\textrm{\small(
#1)
}}$
%
40 }% fortify-found security problem: \F\X
44 %\renewcommand{\arraystretch}{1}
45 \begin{tabular
}{@
{}llllllllll@
{}}
57 % V2 V3 V4 V5 V7 V8 V9 V11
58 1 &
\X &
\p &
\p &
\p & &
\X &
\F{B
}\X &
\X \\
59 2 &
\F{B
}\p &
\p & & &
\p &
\p & &
\p \\
60 3 & &
\X & &
\X & &
\X &
\p & \\
61 4 &
\p & &
\p & & &
\X &
\X &
\X \\
62 5 & &
\p &
\p &
\p & &
\p &
\p &
\p \\
63 6 &
\X &
\p & & &
\X &
\p & &
\X \\
64 7 &
\p &
\X & & &
\p &
\p &
\p &
\X \\
65 8 &
\p & &
\p & & & & &
\X \\
66 9 &
\X &
\p &
\X & &
\p & &
\p & \\
67 10 & &
\X &
\p &
\X & &
\X &
\p & \\
68 11 & &
\p & &
\p & & &
\p & \\
69 12 &
\X &
\X &
\X &
\p &
\X & & & \\
70 13 &
\X &
\X &
\F{A
}\X &
\p &
\X &
\X & & \\
71 14 & & &
\X &
\p &
\p & & & \\
72 15 & & &
\X &
\X & & & & \\
73 16 &
\X & &
\X &
\p & & & & \\
74 17 &
\p & & &
\p & & & & \\
75 18 &
\X & & &
\X & & & & \\
76 19 &
\p & & &
\X & & & & \\
77 20 &
\X & & &
\p & & & & \\
78 21 &
\X & & &
\p & & & & \\
79 22 &
\p & & &
\X & & & & \\
80 23 & & & &
\X & & & & \\
81 24 & & & &
\p & & & & \\
82 25 &
\X & & &
\p & & & & \\
83 26 & & & &
\p & & & & \\
84 27 &
\X & & & & & & & \\
85 28 &
\X & & & & & & & \\
86 29 &
\X & & & & & & & \\
89 32 &
\X & & & & & & & \\
90 33 &
\p & & & & & & & \\
93 \caption{Summary of our results. Fortify's findings are outlined and labelled, see our analysis above.
}