X-Git-Url: https://git.martlubbers.net/?a=blobdiff_plain;f=report%2Fv4_access.tex;h=03052d2ebf8b887f440c79ff8ac965cee334c77e;hb=06d7ae862f750a89968a0c7c2104b133e801d3a5;hp=506eea7e9af3cb9392034da43c6d652e2e910d33;hpb=8e8f9216ff3661912febc6d1bcb696fb4be655f6;p=ssproject1617.git

diff --git a/report/v4_access.tex b/report/v4_access.tex
index 506eea7..03052d2 100644
--- a/report/v4_access.tex
+++ b/report/v4_access.tex
@@ -22,7 +22,7 @@ Our check reveales that the access control mechanisms are basically only a stub,
 
 These are the results of our check:
 
-\begin{enumerate}[label={4.\arabic*}]
+\begin{enumerate}[label={V4.\arabic*}]
 
 % Access controls:
 %   - principle of least privilege?
@@ -92,13 +92,15 @@ Fail, because the role and distinct user systems are stubs.
 \end{result}
 
 \item
-\pass{}
+\fail{}
 Verify that all user and data attributes and policy
 information used by access controls cannot be
 manipulated by end users unless specifically authorized.
 
 \begin{result}
-This item is the main remaining security concern. I haven't found any obvious fail in the login system, but given the architecture and security status of the whole CMS, I'm not very sure of it.
+This item is the main remaining security concern, as the login form allows SQL
+injections that are capable to alter any information stored in the database.
+This is described in more detail in item V2.6 on page~\pageref{auth:6}.
 \end{result}
 
 \notapplicable{