Verdict description inserted.

diff --git a/report/v8_error.tex b/report/v8_error.tex
index d61dcef..58e782a 100644 (file)
--- a/report/v8_error.tex
+++ b/report/v8_error.tex
@@ -1,5 +1,5 @@
 \begin{enumerate}[label={8.\arabic*}]
 \begin{enumerate}[label={8.\arabic*}]

-       \item\pass{} Verify that the application does not output error 
+       \item\fail{} Verify that the application does not output error 

                messages or stack traces containing sensitive data 
                that could assist an attacker, 
                including session id, 
                messages or stack traces containing sensitive data 
                that could assist an attacker, 
                including session id, 


@@ -7,12 +7,17 @@
                information.
 
                \begin{result}
                information.
 
                \begin{result}

+               Disabled by default but there is no way to enable error logging 
+               without outputting detailed error information. \emph{PDOException::getMessage}
+               is directly logged to the specified logging target (user or logfile).

                \end{result}
        
        \item\pass{} Verify that error handling logic in security controls 
                denies access by default.
 
                \begin{result}
                \end{result}
        
        \item\pass{} Verify that error handling logic in security controls 
                denies access by default.
 
                \begin{result}

+               The limited number of errors actually handled do block access. 
+               The software passes this check, this however is a side effect of limited error handling.

                \end{result}
        
        \item\pass{} Verify security logging controls provide the ability 
                \end{result}
        
        \item\pass{} Verify security logging controls provide the ability 


@@ -21,6 +26,9 @@
                are identified as security-relevant.
 
                \begin{result}
                are identified as security-relevant.
 
                \begin{result}

+               Failed login attempts or password resets are not logged at all.
+               Only actual crashes/unrecoverable errors are logged.
+               Failed/unauthorized installation attempts won't get logged either.

                \end{result}
        
        \item\pass{} Verify that each log event includes necessary 
                \end{result}
        
        \item\pass{} Verify that each log event includes necessary 


@@ -29,6 +37,8 @@
                happens.
 
                \begin{result}
                happens.
 
                \begin{result}

+               Log information is very minimal and doesn't include the date and time unless it's part of the exception message. 
+               Only information available regarding the moment an error occoured is the date used as the log filename.

                \end{result}
        
        \item\pass{} Verify that all
                \end{result}
        
        \item\pass{} Verify that all


@@ -37,12 +47,17 @@
                viewing software.
 
                \begin{result}
                viewing software.
 
                \begin{result}

+               Plaintext logfiles are used and if any data injected into the logfile ends up being executed this would be a security flaw of the text editor used as a viewer.

                \end{result}
        
        \item\pass{} Verify that security logs are protected from 
                unauthorized access and modification.
 
                \begin{result}
                \end{result}
        
        \item\pass{} Verify that security logs are protected from 
                unauthorized access and modification.
 
                \begin{result}

+               There is a htaccess which is supposed to block access to the log files.
+               Blocking access to the logs depends on the server configuration
+               because the log files are part of the main program directory.
+               Clear documentation which warns users about this behavior is missing.

                \end{result}
        
        \item\pass{} Verify that the application does not log 
                \end{result}
        
        \item\pass{} Verify that the application does not log 


@@ -56,6 +71,10 @@
                I tokens.
 
                \begin{result}
                I tokens.
 
                \begin{result}

+               The application itself does not log any usernames/passwords.
+               \emph{PDOException}'s end up in the log files however, the database driver implementation
+               could append sensitive data to the exception message.
+               Documentation suggesting users should verify that the database driver they end up using doesn't include sensitive data in exception messages is absent.

                \end{result}
        
        \item\pass{} Verify that all non-printable symbols and field 
                \end{result}
        
        \item\pass{} Verify that all non-printable symbols and field 


@@ -74,6 +93,9 @@
        \item\pass{} Verify that an audit log or similar allows for non-repudiation of key transactions.
 
                \begin{result}
        \item\pass{} Verify that an audit log or similar allows for non-repudiation of key transactions.
 
                \begin{result}

+               Failed login attempts, password reset, login/logout... are not logged at all.
+               It's not possible to retreive the IP address from which a password reset has been issued.
+               Only potential requests are logged even before it's verified such an action exists.

                \end{result}
        
        \item\pass{} Verify that security logs have some form of 
                \end{result}
        
        \item\pass{} Verify that security logs have some form of 


@@ -95,5 +117,7 @@
                logs have the correct time.
 
                \begin{result}
                logs have the correct time.
 
                \begin{result}

+               Time information is not inserted into log messages. 
+               The actual log files however are named after the current system date, this gives a precision of 24 hours.

                \end{result}
 \end{enumerate}
\ No newline at end of file
                \end{result}
 \end{enumerate}
\ No newline at end of file