From: charlie Date: Wed, 16 Nov 2016 12:03:35 +0000 (+0100) Subject: Merge branch 'master' of https://gitlab.science.ru.nl/mlubbers/ssproject1617 X-Git-Url: https://git.martlubbers.net/?a=commitdiff_plain;h=b52c24b2c26384817d042703a46eee317a85535e;hp=b1802bee3cefce2caf32527f7c19cc40649735c0;p=ssproject1617.git Merge branch 'master' of https://gitlab.science.ru.nl/mlubbers/ssproject1617 --- diff --git a/report/report.tex b/report/report.tex index a131312..63f0c6d 100644 --- a/report/report.tex +++ b/report/report.tex @@ -51,10 +51,6 @@ \subsection{\HTTP{} Security} \input{v11_httpsec.tex} - \addtocounter{subsection}{4} - \subsection{Files and Recourses} - TODO - \renewcommand\thesubsection{\arabic{section}.\arabic{subsection}} diff --git a/report/v11_httpsec.tex b/report/v11_httpsec.tex index 186dccb..1b0cc4f 100644 --- a/report/v11_httpsec.tex +++ b/report/v11_httpsec.tex @@ -18,7 +18,7 @@ Verify that every \HTTP{} response contains a content type header specifying a safe character set (e.g., \emph{UTF-8}, \emph{ISO 8859{-}1}). \begin{result} - Content type headers may be set anywhere in the application. Furthermure, + Content type headers may be set anywhere in the application. Furthermure,\\ \code{Response::send} ensures that if no content type header is set, all responses will fall back to using \code{text/html; charset=UTF-8}. \end{result} diff --git a/report/v2_authentication.tex b/report/v2_authentication.tex index ea7cbe5..69d1d00 100644 --- a/report/v2_authentication.tex +++ b/report/v2_authentication.tex @@ -221,8 +221,8 @@ stored in a protected location. However, the installation instructions state the following: \begin{verbatim} -Change the file permissions to allow all users write access to the folder -you extracted testcms to. +Change the file permissions to allow all users write access to the +folder you extracted testcms to. \end{verbatim} This implies making the configuration file readable for all users on the system. This information should not be accessible for any user other than diff --git a/report/v7_cryptography.tex b/report/v7_cryptography.tex index 4d32911..b7bef87 100644 --- a/report/v7_cryptography.tex +++ b/report/v7_cryptography.tex @@ -22,11 +22,12 @@ } \item + \fail{} Verify that cryptographic algorithms used by the application have been validated against FIPS 140{-}2 or an equivalent standard. \begin{result} - The application uses MD5 for password hashing, which should be insecure by - now. + The application uses MD5 for password hashing, which is insecure by current + standards \end{result} \notapplicable{ diff --git a/report/v8_error.tex b/report/v8_error.tex index 200fd44..3559c50 100644 --- a/report/v8_error.tex +++ b/report/v8_error.tex @@ -27,7 +27,7 @@ \begin{result} Failed login attempts or password resets are not logged at all. - Only actual crashes/unrecoverable errors are logged. + Only actual crashes or unrecoverable errors are logged. Failed/unauthorized installation attempts won't get logged either. \end{result} diff --git a/report/v9_data.tex b/report/v9_data.tex index d43c21e..0e4e2f5 100644 --- a/report/v9_data.tex +++ b/report/v9_data.tex @@ -71,7 +71,7 @@ Vacuously: data is not stored on the client side. \end{result} - \item\pass{} Verify accessing sensitive data is logged, if the data is + \item\fail{} Verify accessing sensitive data is logged, if the data is collected under relevant data protection directives or where logging of accesses is required. @@ -84,7 +84,7 @@ to mitigate memory dumping attacks. \begin{result} - I consider this outside of the scope of the \CMS{}'s security requirements, as it is written in, and thus relies on the (memory) security of, \PHP{}. + We consider this outside of the scope of the \CMS{}'s security requirements, as it is written in, and thus relies on the (memory) security of, \PHP{}. \end{result} \end{enumerate}