\input{v2_authentication}
\subsection{Session Management}
+\input{v3_session.tex}
\subsection{Access Control}
\input{v4_access.tex}
\subsection{Input Validation \& Output Encoding/Escaping}
\input{v5_input.tex}
+\addtocounter{subsection}{1}
+
\subsection{Cryptography at rest}
+\input{v7_cryptography.tex}
\subsection{Error Handling \& logging}
--- /dev/null
+\begin{enumerate}[label={3.\arabic*}]
+
+ \item
+ \pass{}
+ Verify that there is no custom session manager, or that the custom session
+ manager is resistant against all common session management attacks.
+ \begin{result}
+ The application uses the standard \PHP{} functionality; namely
+ \code{session\_start ()} to manage sessions.
+ \end{result}
+
+
+ \item
+ \pass{}
+ Verify that sessions are invalidated when the user logs out.
+ \begin{result}
+ When a user logs out the application calls \code{forget()}, which
+ invalidates the session.
+ \end{result}
+
+
+ \item
+ \fail{}
+ Verify that sessions timeout after a specified period of inactivity.
+ \begin{result}
+ There is absolutely no functionality which tracks how long a user has been inactive.
+ \end{result}
+
+
+ \notapplicable{%
+ \item
+ Verify that sessions timeout after an administratively-configurable
+ maximum time period regardless of activity (an absolute timeout).
+ }
+
+ \item
+ \pass{}
+ Verify that all pages that require authentication have easy and visible
+ access to logout functionality.
+ \begin{result}
+ The logout functionality is plainly visible on the top right of the
+ application on every page that requires authentication. This is defined in
+ \srcref{admin/themes/header.php}{16-30}
+ \end{result}
+
+
+ \item
+ \pass{}
+ Verify that the session id is never disclosed in URLs, error messages, or
+ logs. This includes verifying that the application does not support URL
+ rewriting of session cookies.
+ \begin{result}
+ The session id is only used inside the cookie. And the \PHP{}
+ \code{\$\_SESSION} variable is never accessed outside of session
+ management in \srcref{sessions.php}{}.
+ \end{result}
+
+
+ \item
+ \fail{}
+ Verify that all successful authentication and re-authentication generates
+ a new session and session id.
+ \begin{result}
+ The application does not destroy the session id upon logout, it merely
+ invalidates it. However \PHP{}'s session managements automatically
+ invalides these session id's after some time. % Discuss?
+ \end{result}
+
+
+ \notapplicable{%
+ \item
+ Verify that only session ids generated by the application framework are
+ recognized as active by the application.
+ }
+
+ \item
+ \pass{}
+ Verify that session ids are sufficiently long, random and unique across the
+ correct active session base.
+ \begin{result}
+ The session ids are generated by \PHP{} trough the \code{session\_start}
+ function. These are indeed sufficiently long, random and unique. There are
+ no known attacks against these session ID's.
+ \end{result}
+
+
+ \item
+ \fail{}
+ Verify that session ids stored in cookies have their path set to an
+ appropriately restrictive value for the application, and authentication
+ session tokens additionally set the “HttpOnly” and “secure” attributes.
+ \begin{result}
+ There is just one cookie for tha application and it's path includes the whole
+ site. However this seems appropriate. The "HttpOnly" and "secure"
+ attributes are not set for this cookie.
+ \end{result}
+
+
+ \item
+ \pass{}
+ Verify that the application limits the number of active concurrent sessions.
+ \begin{result}
+ By using \PHP{}'s session handling mechanism the application limits the
+ number of active concurrent sessions adequately.
+ \end{result}
+
+ \item
+ \fail{}
+ Verify that an active session list is displayed in the account profile or
+ similar of each user. The user should be able to terminate any active
+ session.
+ \begin{result}
+ There is no indication whatsoever of any other active sessions a user may
+ have open
+ \end{result}
+
+ \item
+ \fail{}
+ Verify the user is prompted with the option to terminate all other active
+ sessions after a successful change password process.
+ \begin{result}
+ There is no such option, also notqeable is that there is no confirmation for
+ the password change.
+ \end{result}
+
+\end{enumerate}
--- /dev/null
+% usage of crypt()
+\begin{enumerate}[label={7.\arabic*}]
+
+ \addtocounter{enumi}{1}
+ \item
+ \pass{}
+ Verify that all cryptographic modules fail securely, and errors are handled
+ in a way that does not enable oracle padding.
+ \begin{result}
+ The only cryptographic operation is the hashing of the password, which can
+ not be vulnerable to a padding attack as it does not use a block cipher.
+ \end{result}
+
+
+ \addtocounter{enumi}{3}
+ \notapplicable{
+ \item
+ Verify that all random numbers, random file names, random GUIDs, and random
+ strings are generated using the cryptographic module’s approved random
+ number generator when these random values are intended to be not guessable
+ by an attacker.
+ }
+
+ \item
+ \TODO{}
+ Verify that cryptographic algorithms used by the application have been
+ validated against FIPS 140-2 or an equivalent standard.
+ \begin{result}
+ The application uses md-5 for password hashing, which should be insecure by
+ now.
+ \end{result}
+
+ \notapplicable{
+ \item
+ Verify that cryptographic modules operate in their approved mode according
+ to their published security policies.
+ }
+
+ \notapplicable{
+ \item
+ Verify that there is an explicit policy for how cryptographic keys are
+ managed (e.g., generated, distributed, revoked, and expired). Verify that
+ this key lifecycle is properly enforced.
+ }
+
+ \addtocounter{enumi}{1}
+ \notapplicable{
+ \item
+ Verify that all consumers of cryptographic services do not have direct
+ access to key material. Isolate cryptographic processes, including master
+ secrets and consider the use of a virtualized or physical hardware key vault
+ (HSM).
+ }
+
+ \notapplicable{
+ \item
+ \textit{Personally Identifiable Information} should be stored encrypted at
+ rest and ensure that communication goes via protected channels.
+ }
+
+ \notapplicable{
+ \item
+ Verify that sensitive passwords or key material maintained in memory is
+ overwritten with zeros as soon as it no longer required, to mitigate memory
+ dumping attacks.
+ }
+
+ \notapplicable{
+ \item
+ Verify that all keys and passwords are replaceable, and are generated or
+ replaced at installation time.
+ }
+
+ \notapplicable{
+ \item
+ Verify that random numbers are created with proper entropy even when the
+ application is under heavy load, or that the application degrades gracefully
+ in such circumstance.
+ }
+
+\end{enumerate}
--- /dev/null
+@echo off
+REM ###########################################################################
+REM Script generated by HPE Security Fortify SCA Scan Wizard (c) 2011-2016 Hewlett Packard Enterprise Development LP
+REM Created on 2016/11/09 09:06:13
+REM ###########################################################################
+REM Generated for the following languages:
+REM Javascript
+REM PHP
+REM SQL
+REM ###########################################################################
+REM DEBUG - if set to true, runs SCA in debug mode
+REM SOURCEANALYZER - the name of the SCA executable
+REM FPR - the name of analysis result file
+REM BUILDID - the SCA build id
+REM ARGFILE - the name of the argument file that's extracted and passed to SCA
+REM BYTECODE_ARGFILE - the name of the argument file for Java Bytecode translation that's extracted and passed to SCA
+REM MEMORY - the memory settings for SCA
+REM LAUNCHERSWITCHES - the launcher settings that are used to invoke SCA
+REM OLDFILENUMBER - this defines the file which contains the number of files within the project, it is automatically generated
+REM FILENOMAXDIFF - this is the percentage of difference between the number of files which will trigger a warning by the script
+REM ###########################################################################
+
+set DEBUG=false
+set SOURCEANALYZER=sourceanalyzer
+set FPR="Fortifytestcms-final-anon.fpr"
+set BUILDID="testcms-final-anon"
+set ARGFILE="Fortifytestcms-final-anon.bat.args"
+set BYTECODE_ARGFILE="Fortifytestcms-final-anon.bat.bytecode.args"
+set MEMORY=-Xmx682M -Xms400M -Xss24M
+set LAUNCHERSWITCHES=""
+set OLDFILENUMBER=Fortifytestcms-final-anon.bat.fileno
+set FILENOMAXDIFF=10
+set ENABLE_BYTECODE=false
+
+set PROJECTROOT0="C:\Users\mrl\Desktop\ssproject1617\testcms-final-anon"
+IF NOT EXIST %PROJECTROOT0% (
+ ECHO ERROR: This script is being run on a different machine than it was
+ ECHO generated on or the targeted project has been moved. This script is
+ ECHO configured to locate files at
+ ECHO %PROJECTROOT0%
+ ECHO Please modify the %%PROJECTROOT0%% variable found
+ ECHO at the top of this script to point to the corresponding directory
+ ECHO located on this machine.
+ GOTO :FINISHED
+)
+
+IF %DEBUG%==true set LAUNCHERSWITCHES=-debug %LAUNCHERSWITCHES%
+echo Extracting Arguments File
+
+
+echo. >%ARGFILE%
+echo. >%BYTECODE_ARGFILE%
+SETLOCAL ENABLEDELAYEDEXPANSION
+IF EXIST %0 (
+ set SCAScriptFile=%0
+) ELSE (
+ set SCAScriptFile=%0.bat
+)
+
+set PROJECTROOT0=%PROJECTROOT0:)=^)%
+FOR /f "delims=" %%a IN ('findstr /B /C:"REM ARGS" %SCAScriptFile%' ) DO (
+ set argVal=%%a
+ set argVal=!argVal:PROJECTROOT0_MARKER=%PROJECTROOT0:~1,-1%!
+ echo !argVal:~9! >> %ARGFILE%
+)
+set PROJECTROOT0=%PROJECTROOT0:)=^)%
+FOR /f "delims=" %%a IN ('findstr /B /C:"REM BYTECODE_ARGS" %SCAScriptFile%' ) DO (
+ set ENABLE_BYTECODE=true
+ set argVal=%%a
+ set argVal=!argVal:PROJECTROOT0_MARKER=%PROJECTROOT0:~1,-1%!
+ echo !argVal:~18! >> %BYTECODE_ARGFILE%
+)
+ENDLOCAL && set ENABLE_BYTECODE=%ENABLE_BYTECODE%
+
+REM ###########################################################################
+echo Cleaning previous scan artifacts
+%SOURCEANALYZER% %MEMORY% %LAUNCHERSWITCHES% -b %BUILDID% -clean
+IF %ERRORLEVEL%==1 (
+echo Sourceanalyzer failed, exiting
+GOTO :FINISHED
+)
+REM ###########################################################################
+echo Translating files
+%SOURCEANALYZER% %MEMORY% %LAUNCHERSWITCHES% -b %BUILDID% @%ARGFILE%
+IF %ERRORLEVEL%==1 (
+echo Sourceanalyzer failed, exiting
+GOTO :FINISHED
+)
+REM ###########################################################################
+IF %ENABLE_BYTECODE%==true (
+echo Translating Java bytecode files
+%SOURCEANALYZER% %MEMORY% %LAUNCHERSWITCHES% -b %BUILDID% @%BYTECODE_ARGFILE%
+IF %ERRORLEVEL%==1 (
+echo Sourceanalyzer failed, exiting
+GOTO :FINISHED
+)
+)
+REM ###########################################################################
+echo Testing Difference between Translations
+SETLOCAL
+FOR /F "delims=" %%A in ('%SOURCEANALYZER% -b %BUILDID% -show-files ^| findstr /R /N "^" ^| find /C ":" ') DO SET FILENUMBER=%%A
+IF NOT EXIST %OLDFILENUMBER% (
+ ECHO It appears to be the first time running this script, setting %OLDFILENUMBER% to %FILENUMBER%
+ ECHO %FILENUMBER% > %OLDFILENUMBER%
+ GOTO TESTENDED
+)
+
+FOR /F "delims=" %%i IN (%OLDFILENUMBER%) DO SET OLDFILENO=%%i
+set /a DIFF=%OLDFILENO% * %FILENOMAXDIFF%
+set /a DIFF /= 100
+set /a MAX=%OLDFILENO% + %DIFF%
+set /a MIN=%OLDFILENO% - %DIFF%
+
+IF %FILENUMBER% LSS %MIN% set SHOWWARNING=true
+IF %FILENUMBER% GTR %MAX% set SHOWWARNING=true
+
+IF DEFINED SHOWWARNING (
+ ECHO WARNING: The number of files has changed by over %FILENOMAXDIFF%%%, it is recommended
+ ECHO that this script is regenerated with the ScanWizard
+)
+:TESTENDED
+ENDLOCAL
+
+REM ###########################################################################
+echo Starting scan
+%SOURCEANALYZER% %MEMORY% %LAUNCHERSWITCHES% -b %BUILDID% -scan -f %FPR%
+IF %ERRORLEVEL%==1 (
+echo Sourceanalyzer failed, exiting
+GOTO :FINISHED
+)
+REM ###########################################################################
+echo Finished
+:FINISHED
+REM ARGS "-Dcom.fortify.sca.fileextensions.sql=PLSQL"
+REM ARGS "PROJECTROOT0_MARKER"
--- /dev/null
+
+"-Dcom.fortify.sca.fileextensions.sql=PLSQL"
+"C:\Users\mrl\Desktop\ssproject1617\testcms-final-anon"