\end{result}
\item
-\pass{}
+\fail{}
Verify that forms containing credentials are not filled in by
the application. Pre-filling by the application implies that
credentials are stored in plaintext or a reversible format,
which is explicitly prohibited.
\begin{result}
-No credentials (that should not be stored in plain text) are ever filled in by
-the application.
+No credentials that come from the database are pre-filled by the application.
+However, in some forms, the application pre-fills password fields from the
+request's POST data. This is not necesarry.\footnote{This issue was actually
+overlooked when auditing manually, and was found when running the Fortify tool.
+In the initial audit, we only ensured that no internal information (from the
+database) was leaked in this way.}
\end{result}
\setcounter{enumi}{3}
However, the installation instructions state the following:
\begin{verbatim}
-Change the file permissions to allow all users write access to the folder
-you extracted testcms to.
+Change the file permissions to allow all users write access to the
+folder you extracted testcms to.
\end{verbatim}
This implies making the configuration file readable for all users on the
system. This information should not be accessible for any user other than
repositories / ssproject1617.git / blobdiff