X-Git-Url: https://git.martlubbers.net/?a=blobdiff_plain;f=report%2Fv2_authentication.tex;h=69d1d00693b0dd73d2702de8a5b046165e7dae8c;hb=d7cbb0161e668196585bc56735c1304205cd434e;hp=74875af7df93965a4d954e854ee94b09c993f31e;hpb=67f014d95fdc06c3170f805afae6a48fa101bb3f;p=ssproject1617.git

diff --git a/report/v2_authentication.tex b/report/v2_authentication.tex
index 74875af..69d1d00 100644
--- a/report/v2_authentication.tex
+++ b/report/v2_authentication.tex
@@ -15,15 +15,19 @@ public (Principle of complete mediation).
 \end{result}
 
 \item
-\pass{}
+\fail{}
 Verify that forms containing credentials are not filled in by
 the application. Pre-filling by the application implies that
 credentials are stored in plaintext or a reversible format,
 which is explicitly prohibited.
 
 \begin{result}
-No credentials (that should not be stored in plain text) are ever filled in by
-the application.
+No credentials that come from the database are pre-filled by the application.
+However, in some forms, the application pre-fills password fields from the
+request's POST data. This is not necesarry.\footnote{This issue was actually
+overlooked when auditing manually, and was found when running the Fortify tool.
+In the initial audit, we only ensured that no internal information (from the
+database) was leaked in this way.}
 \end{result}
 
 \setcounter{enumi}{3}
@@ -199,7 +203,8 @@ attacks.
         \item Email validation, to harden brute force email address discovery
         \item Installation database check, to prevent guessing attacks for the database password
         \item Login, to prevent login guessing
-        \item And comment submission, to prevent spam, phishing et cetera (by using CAPTCHA).
+        \item And comment submission, to prevent spam, phishing et cetera (by
+        using some CAPTCHA software).
     \end{itemize}
 \end{result}
 
@@ -216,8 +221,8 @@ stored in a protected location.
 
     However, the installation instructions state the following:
     \begin{verbatim}
-Change the file permissions to allow all users write access to the folder
-you extracted testcms to.
+Change the file permissions to allow all users write access to the
+folder you extracted testcms to.
     \end{verbatim}
     This implies making the configuration file readable for all users on the
     system. This information should not be accessible for any user other than
@@ -275,7 +280,7 @@ commonly chosen passwords and weak passphrases.
 
 \begin{result}
     No password strengthening measures are implemented. The app should
-    use some password strength estimator like \code{zxcvbn}.
+    use some password strength estimator like \texttt{zxcvbn}\footnote{\url{https://github.com/dropbox/zxcvbn}}.
 \end{result}
 
 \item