report/v8_error.tex

   1 \begin{enumerate}[label={V8.\arabic*}]
   2         \item\fail{} Verify that the application does not output error
   3                 messages or stack traces containing sensitive data
   4                 that could assist an attacker,
   5                 including session id,
   6                 software/framework versions and personal
   7                 information.
   8
   9                 \begin{result}
  10                 Disabled by default but there is no way to enable error logging
  11                 without outputting detailed error information. \emph{PDOException::getMessage}
  12                 is directly logged to the specified logging target (user or logfile).
  13                 \end{result}
  14
  15         \item\pass{} Verify that error handling logic in security controls
  16                 denies access by default.
  17
  18                 \begin{result}
  19                 The limited number of errors actually handled do block access.
  20                 The software passes this check, this however is a side effect of limited error handling.
  21                 \end{result}
  22
  23         \item\fail{} Verify security logging controls provide the ability
  24                 to log success and
  25                 particularly failure events that
  26                 are identified as security-relevant.
  27
  28                 \begin{result}
  29                 Failed login attempts or password resets are not logged at all.
  30                 Only actual crashes/unrecoverable errors are logged.
  31                 Failed/unauthorized installation attempts won't get logged either.
  32                 \end{result}
  33
  34         \item\fail{} Verify that each log event includes necessary
  35                 information that would allow for a detailed
  36                 investigation of the timeline when an event
  37                 happens.
  38
  39                 \begin{result}
  40                 Log information is very minimal and doesn't include the date and time unless it's part of the exception message.
  41                 Only information available regarding the moment an error occoured is the date used as the log filename.
  42                 \end{result}
  43
  44         \item\pass{} Verify that all
  45                 events that include untrusted data
  46                 will not execute as code in the intended log
  47                 viewing software.
  48
  49                 \begin{result}
  50                 Plaintext logfiles are used and if any data injected into the logfile ends up being executed this would be a security flaw of the text editor used as a viewer.
  51                 \end{result}
  52
  53         \item\pass{} Verify that security logs are protected from
  54                 unauthorized access and modification.
  55
  56                 \begin{result}
  57                 There is a htaccess which is supposed to block access to the log files.
  58                 Blocking access to the logs depends on the server configuration
  59                 because the log files are part of the main program directory.
  60                 Clear documentation which warns users about this behavior is missing.
  61                 \end{result}
  62
  63         \item\pass{} Verify that the application does not log
  64                 sensitive
  65                 data as defined under local privacy laws or
  66                 regulations, organizational sensitive data as
  67                 defined by a risk assessment, or sensitive
  68                 authentication data that could assist an attacker,
  69                 including user's session identifiers, passwords,
  70                 hashes, or API tokens.
  71
  72                 \begin{result}
  73                 The application itself does not log any usernames/passwords.
  74                 \emph{PDOException}'s end up in the log files however, the database driver implementation
  75                 could append sensitive data to the exception message.
  76                 Documentation suggesting users should verify that the database driver they end up using doesn't include sensitive data in exception messages is absent.
  77                 \end{result}
  78
  79 \notapplicable{\item Verify that all non-printable symbols and field
  80                 separators are properly encoded in log entries, to
  81                 prevent log injection.}
  82
  83 \notapplicable{\item Verify that log fields from trusted and untrusted
  84                 sources are distinguishable in log entries.}
  85
  86         \item\fail{} Verify that an audit log or similar allows for non-repudiation of key transactions.
  87
  88                 \begin{result}
  89                 Failed login attempts, password reset, login/logout\ldots are not logged at all.
  90                 It's not possible to retreive the IP address from which a password reset has been issued.
  91                 Only potential requests are logged even before it's verified such an action exists.
  92                 \end{result}
  93
  94 \notapplicable{\item Verify that security logs have some form of
  95                 integrity checking or controls to prevent
  96                 unauthorized modification.}
  97
  98 \notapplicable{\item Verify that the
  99                 logs are stored on a different
 100                 partition than the application is running with
 101                 proper log rotation.}
 102
 103         \item\fail{} Time sources should be synchronized to ensure
 104                 logs have the correct time.
 105
 106                 \begin{result}
 107                 Time information is not inserted into log messages.
 108                 The actual log files however are named after the current system date, this gives a precision of 24 hours.
 109                 \end{result}
 110 \end{enumerate}