\subsection{\HTTP{} Security}
\input{v11_httpsec.tex}
- \addtocounter{subsection}{4}
- \subsection{Files and Recourses}
- TODO
-
\renewcommand\thesubsection{\arabic{section}.\arabic{subsection}}
content type header specifying a safe character set
(e.g., \emph{UTF-8}, \emph{ISO 8859{-}1}).
\begin{result}
- Content type headers may be set anywhere in the application. Furthermure,
+ Content type headers may be set anywhere in the application. Furthermure,\\
\code{Response::send} ensures that if no content type header is set, all
responses will fall back to using \code{text/html; charset=UTF-8}.
\end{result}
However, the installation instructions state the following:
\begin{verbatim}
-Change the file permissions to allow all users write access to the folder
-you extracted testcms to.
+Change the file permissions to allow all users write access to the
+folder you extracted testcms to.
\end{verbatim}
This implies making the configuration file readable for all users on the
system. This information should not be accessible for any user other than
}
\item
+ \fail{}
Verify that cryptographic algorithms used by the application have been
validated against FIPS 140{-}2 or an equivalent standard.
\begin{result}
- The application uses MD5 for password hashing, which should be insecure by
- now.
+ The application uses MD5 for password hashing, which is insecure by current
+ standards
\end{result}
\notapplicable{
\begin{result}
Failed login attempts or password resets are not logged at all.
- Only actual crashes/unrecoverable errors are logged.
+ Only actual crashes or unrecoverable errors are logged.
Failed/unauthorized installation attempts won't get logged either.
\end{result}
Vacuously: data is not stored on the client side.
\end{result}
- \item\pass{} Verify accessing sensitive data is logged, if the data is
+ \item\fail{} Verify accessing sensitive data is logged, if the data is
collected under relevant data protection directives or
where logging of accesses is required.
to mitigate memory dumping attacks.
\begin{result}
- I consider this outside of the scope of the \CMS{}'s security requirements, as it is written in, and thus relies on the (memory) security of, \PHP{}.
+ We consider this outside of the scope of the \CMS{}'s security requirements, as it is written in, and thus relies on the (memory) security of, \PHP{}.
\end{result}
\end{enumerate}