From: Daan Sprenkels Date: Mon, 7 Nov 2016 14:35:33 +0000 (+0100) Subject: Merge branch 'master' of gitlab.science.ru.nl:mlubbers/ssproject1617 into dsprenkels... X-Git-Url: https://git.martlubbers.net/?a=commitdiff_plain;h=f67157c455b6d2362bc3969f55b0f862de0373fd;hp=de7278874a8556b0f02c78d63345864e8b47b7d5;p=ssproject1617.git Merge branch 'master' of gitlab.science.ru.nl:mlubbers/ssproject1617 into dsprenkels/authentication --- diff --git a/report/authentication/checklist.md b/report/authentication/checklist.md new file mode 100644 index 0000000..1f3971c --- /dev/null +++ b/report/authentication/checklist.md @@ -0,0 +1,66 @@ +# Authentication + +## 2.1 Verify that all private pages are indeed private +All admin pages are private. Unpublished posts are also private. + +However, the install submission page does not do any authentication at all, +allowing any user to reset the database and claim an admin account. + +User pages can be viewed and submitted by any authenticated user. + +## 2.2 +## 2.3 +## 2.4 +## 2.5 +## 2.6 +## 2.7 +## 2.8 +## 2.9 +Changing a user's password does not require the original password. + +## 2.10 +## 2.11 +## 2.12 + +## 2.13 Password storage security +Password are stored in database using the PHP function `crypt`. Internally, this +functions uses salted MD5. This is way too easy to brute-force. + +Instead use `argon2` or the `password_hash` function. + +## 2.14 +## 2.15 + +## 2.16 +The app allows admin users to log in over HTTP. This is insecure. Force HTTPS +for the admin_controller and for the installation script. + +## 2.17 +## 2.18 +## 2.19 + +## 2.20 +No anti-automation measures are deployed. + +Needed for email validation, installation database check, login, comment +submissions, etc. + +## 2.21 +## 2.22 +## 2.23 +## 2.24 +## 2.25 +## 2.26 +## 2.27 +## 2.28 +## 2.29 +## 2.30 +## 2.31 +## 2.32 +## 2.33 + +## Other +- `Users::find` is vulnerable to SQL injection. +- The default admin password is generated using a Mersenne Twister, which is + not cryptographically secure. +- Verification of hash equality in login is not done in constant time.