+ Plaintext logfiles are used and if any data injected into the logfile ends up being executed this would be a security flaw of the text editor used as a viewer.
\end{result}
\item\pass{} Verify that security logs are protected from
unauthorized access and modification.
\begin{result}
\end{result}
\item\pass{} Verify that security logs are protected from
unauthorized access and modification.
\begin{result}
+ There is a htaccess which is supposed to block access to the log files.
+ Blocking access to the logs depends on the server configuration
+ because the log files are part of the main program directory.
+ Clear documentation which warns users about this behavior is missing.
\end{result}
\item\pass{} Verify that the application does not log
\end{result}
\item\pass{} Verify that the application does not log
+ The application itself does not log any usernames/passwords.
+ \emph{PDOException}'s end up in the log files however, the database driver implementation
+ could append sensitive data to the exception message.
+ Documentation suggesting users should verify that the database driver they end up using doesn't include sensitive data in exception messages is absent.
\end{result}
\item\pass{} Verify that all non-printable symbols and field
\end{result}
\item\pass{} Verify that all non-printable symbols and field