3 The
\CMS{} has the following access control mechanisms:
6 \item A login mechanism, where logged in users are allowed to access the back-end, and anonymous users are not.
7 \item For logged in users, a role system with three specified roles: admin, editor and regular user.
11 Some typical objects of access control, in this case, are:
14 \item Database records
15 \item Editing capabilities
17 \item Folders, files, info over these data
20 Our check reveals that the access control mechanisms are basically only a stub, and haven't been developed to their usually implied meaning, thus flattening the access control to the single aspect of being logged in or not. Hence, the main remaining security consideration deal with whether this login mechanism protects `back-end' objects from anonymous users.
22 These are the results of our check:
24 \begin{enumerate
}[label=
{V4.
\arabic*
}]
27 % - principle of least privilege?
28 % - inter-role/context safety
30 % - presentation -- server side
31 % - cannot be manipulated
33 % - safe/working auth in place
37 Verify that the principle of least privilege exists
{-
} users
38 should only be able to access functions, data files, URLs,
39 controllers, services, and other resources, for which they
40 possess specific authorization. This implies protection
41 against spoofing and elevation of privilege.
44 Aside from the authentication issues as described in V2, the login system that is in place works as intended, and theoretically only allows registered users to access the back-end.
46 There is a role system, but it seems only to be a stub, for the role of a user has no effect whatsoever on their capabilities.
49 \addtocounter{enumi
}{2}
52 Verify that access to sensitive records is protected, such
53 that only authorized objects or data is accessible to each
54 user (for example, protect against users tampering with a
55 parameter to see or alter another user's account).
58 There is no different access context for distinct users. In particular, they
59 are allowed to access and edit each others' account info, including
60 password. Taken one way, this could be said to be by design and thus OK. But in any reasonable design concept allowing for distinct user accounts, this is clearly not the desired setup.
65 Verify that directory browsing is disabled unless
66 deliberately desired. Additionally, applications should not
67 allow discovery or disclosure of file or directory metadata,
68 such as
\code{Thumbs.db
},
\code{.DS
\_Store},
\code{.git
} or
\code{.svn
} folders.
71 \begin{itemize
}[leftmargin=*
]
72 \item \code{.gitignore
} is freely accessible, as well as any other dot-preceded file (except
\code{.htaccess
}, which is hidden by default Apache rules), as well as files such as
\code{Thumbs.db
} and
\code{.DS
\_Store}.
73 \item Directory contents were listed in my simple setup. A global apache setting may disable by default, but the
\code{.htaccess
} file doesn't explicitly disable (with
\code{Options -Indexes
}), so that the
\CMS{}'s code-base basically enables the listing by default.
77 \addtocounter{enumi
}{2}
80 Verify that access controls fail securely.
83 The only remaining access control mechanism is that of logging in. It fails securely, in the sense that no info about the correctness of the username/password pair are leaked (response time analysis not included); the single error message reads: ``Incorrect details.''
88 Verify that the same access control rules implied by the
89 presentation layer are enforced on the server side.
92 The role and distinct user systems are stubs.
97 Verify that all user and data attributes and policy
98 information used by access controls cannot be
99 manipulated by end users unless specifically authorized.
102 This item is the main security concern, as the login form allows
\SQL{}
103 injections that are capable to alter any information stored in the database.
104 This is described in more detail in item V2.6 on page~
\pageref{auth:
6}.
109 Verify that there is a centralized mechanism (including
110 libraries that call external authorization services) for
111 protecting access to each type of protected resource.
116 Verify that all access control decisions can be logged and
117 all failed decisions are logged.
120 No such decision logging present. There is only a minor amount of logging, and
121 this is only related to not finding content (pages and articles).
126 Verify that the application or framework uses strong
127 random anti-
\CSRF{} tokens or has another transaction
128 protection mechanism.
131 There is no transation protection mechanism at all.
136 Verify the system can protect against aggregate or
137 continuous access of secured functions, resources, or
138 data. For example, consider the use of a resource
139 governor to limit the number of edits per hour or to
140 prevent the entire database from being scraped by an
144 No such prevention present.
149 Verify the application has additional authorization (such
150 as step up or adaptive authentication) for lower value
151 systems, and / or segregation of duties for high value
152 applications to enforce anti-fraud controls as per the risk
153 of application and past fraud.
161 Verify that the application correctly enforces context-
162 sensitive authorization so as to not allow unauthorized
163 manipulation by means of parameter tampering.