\end{result}
\item
-\pass{}
+\fail{}
Verify that forms containing credentials are not filled in by
the application. Pre-filling by the application implies that
credentials are stored in plaintext or a reversible format,
which is explicitly prohibited.
\begin{result}
-No credentials (that should not be stored in plain text) are ever filled in by
-the application.
+No credentials that come from the database are pre-filled by the application.
+However, in some forms, the application pre-fills password fields from the
+request's POST data. This is not necesarry.\footnote{This issue was actually
+overlooked when auditing manually, and was found when running the Fortify tool.
+In the initial audit, we only ensured that no internal information (from the
+database) was leaked in this way.}
\end{result}
\setcounter{enumi}{3}
\item Email validation, to harden brute force email address discovery
\item Installation database check, to prevent guessing attacks for the database password
\item Login, to prevent login guessing
- \item And comment submission, to prevent spam, phishing et cetera (by using CAPTCHA).
+ \item And comment submission, to prevent spam, phishing et cetera (by
+ using some CAPTCHA software).
\end{itemize}
\end{result}
However, the installation instructions state the following:
\begin{verbatim}
-Change the file permissions to allow all users write access to the folder
-you extracted testcms to.
+Change the file permissions to allow all users write access to the
+folder you extracted testcms to.
\end{verbatim}
This implies making the configuration file readable for all users on the
system. This information should not be accessible for any user other than
e-mail, which is considered weak (but not unsafe).
\end{result}
-\notapplicable{\item
+\item
+\fail{}
Verify that account lockout is divided into soft and hard
lock status, and these are not mutually exclusive. If an
account is temporarily soft locked out due to a brute force
attack, this should not reset the hard lock status.
-% The application has not implemented any lockout mechanisms.
-}
+\begin{result}
+ The application has not implemented any lockout mechanisms.
+\end{result}
-\notapplicable{\item
+\item
+\pass{}
Verify that if shared knowledge based questions (also
known as ``secret questions'') are required, the questions
do not violate privacy laws and are sufficiently strong to
-protect accounts from malicious recovery.}
+protect accounts from malicious recovery.
+
+\begin{result}
+ The application uses no shared knowledge based questions, and thus not
+ violate any privacy laws.
+\end{result}
\item
\fail{}
require variation in the use of different passwords.
\end{result}
-\notapplicable{\item
+\item
+\pass{}
Verify that risk based re-authentication, two factor or
-transaction signing is in place for high value transactions.}
+transaction signing is in place for high value transactions.
-% There are no (really) risk based action or which re-authentication would be
-% fit
+\begin{result}
+ There are no (really) risk based action or which re-authentication would be
+ fit.
+\end{result}
\item
\fail{}
\begin{result}
No password strengthening measures are implemented. The app should
- use some password strength estimator like \code{zxcvbn}.
+ use some password strength estimator like \texttt{zxcvbn}\footnote{\url{https://github.com/dropbox/zxcvbn}}.
\end{result}
+\notapplicable{
\item
-\fail{}
+% \fail{}
Verify that all authentication challenges, whether
successful or failed, should respond in the same average
response time.
-\begin{result}
- String comparisation for checking password hases and password reset tokens
- are not in constant time.
-\end{result}
+% \begin{result}
+% String comparisation for checking password hashes and password reset
+% tokens are not in constant time.
+% \end{result}
+}
+\notapplicable{
\item
-\fail{}
+% \fail{}
Verify that secrets, \API{} keys, and passwords are not
included in the source code, or online source code
repositories.
-\begin{result}
- The database credentials are hard coded in \code{config.php}. These
- credentials should ideally be passed using environment variables.
-\end{result}
+% \begin{result}
+% The database credentials are hard coded in \code{config.php}. These
+% credentials should ideally be passed using environment variables.
+% \end{result}
+}
\setcounter{enumi}{30}
-\notapplicable{\item
+\item
+\fail{}
Verify that if an application allows users to authenticate,
they can authenticate using two-factor authentication or
other strong authentication, or any similar scheme that
provides protection against username + password
-disclosure.}
+disclosure.
+
+\begin{result}
+ No surch features are implemented.
+\end{result}
\item
\fail{}