From be9ba2c694a92558b710fcf7bd2858558466741a Mon Sep 17 00:00:00 2001 From: charlie Date: Fri, 11 Nov 2016 20:11:01 +0100 Subject: [PATCH] Verdict description inserted. --- report/v8_error.tex | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/report/v8_error.tex b/report/v8_error.tex index d61dcef..58e782a 100644 --- a/report/v8_error.tex +++ b/report/v8_error.tex @@ -1,5 +1,5 @@ \begin{enumerate}[label={8.\arabic*}] - \item\pass{} Verify that the application does not output error + \item\fail{} Verify that the application does not output error messages or stack traces containing sensitive data that could assist an attacker, including session id, @@ -7,12 +7,17 @@ information. \begin{result} + Disabled by default but there is no way to enable error logging + without outputting detailed error information. \emph{PDOException::getMessage} + is directly logged to the specified logging target (user or logfile). \end{result} \item\pass{} Verify that error handling logic in security controls denies access by default. \begin{result} + The limited number of errors actually handled do block access. + The software passes this check, this however is a side effect of limited error handling. \end{result} \item\pass{} Verify security logging controls provide the ability @@ -21,6 +26,9 @@ are identified as security-relevant. \begin{result} + Failed login attempts or password resets are not logged at all. + Only actual crashes/unrecoverable errors are logged. + Failed/unauthorized installation attempts won't get logged either. \end{result} \item\pass{} Verify that each log event includes necessary @@ -29,6 +37,8 @@ happens. \begin{result} + Log information is very minimal and doesn't include the date and time unless it's part of the exception message. + Only information available regarding the moment an error occoured is the date used as the log filename. \end{result} \item\pass{} Verify that all @@ -37,12 +47,17 @@ viewing software. \begin{result} + Plaintext logfiles are used and if any data injected into the logfile ends up being executed this would be a security flaw of the text editor used as a viewer. \end{result} \item\pass{} Verify that security logs are protected from unauthorized access and modification. \begin{result} + There is a htaccess which is supposed to block access to the log files. + Blocking access to the logs depends on the server configuration + because the log files are part of the main program directory. + Clear documentation which warns users about this behavior is missing. \end{result} \item\pass{} Verify that the application does not log @@ -56,6 +71,10 @@ I tokens. \begin{result} + The application itself does not log any usernames/passwords. + \emph{PDOException}'s end up in the log files however, the database driver implementation + could append sensitive data to the exception message. + Documentation suggesting users should verify that the database driver they end up using doesn't include sensitive data in exception messages is absent. \end{result} \item\pass{} Verify that all non-printable symbols and field @@ -74,6 +93,9 @@ \item\pass{} Verify that an audit log or similar allows for non-repudiation of key transactions. \begin{result} + Failed login attempts, password reset, login/logout... are not logged at all. + It's not possible to retreive the IP address from which a password reset has been issued. + Only potential requests are logged even before it's verified such an action exists. \end{result} \item\pass{} Verify that security logs have some form of @@ -95,5 +117,7 @@ logs have the correct time. \begin{result} + Time information is not inserted into log messages. + The actual log files however are named after the current system date, this gives a precision of 24 hours. \end{result} \end{enumerate} \ No newline at end of file -- 2.20.1