From 54ea3677b55a7ee4903daa4a6b32ae0fea5eaf91 Mon Sep 17 00:00:00 2001 From: Daan Sprenkels Date: Sun, 16 Oct 2016 19:26:44 +0200 Subject: [PATCH] Authentication work in progress --- report/authentication/checklist.md | 66 ++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 report/authentication/checklist.md diff --git a/report/authentication/checklist.md b/report/authentication/checklist.md new file mode 100644 index 0000000..1f3971c --- /dev/null +++ b/report/authentication/checklist.md @@ -0,0 +1,66 @@ +# Authentication + +## 2.1 Verify that all private pages are indeed private +All admin pages are private. Unpublished posts are also private. + +However, the install submission page does not do any authentication at all, +allowing any user to reset the database and claim an admin account. + +User pages can be viewed and submitted by any authenticated user. + +## 2.2 +## 2.3 +## 2.4 +## 2.5 +## 2.6 +## 2.7 +## 2.8 +## 2.9 +Changing a user's password does not require the original password. + +## 2.10 +## 2.11 +## 2.12 + +## 2.13 Password storage security +Password are stored in database using the PHP function `crypt`. Internally, this +functions uses salted MD5. This is way too easy to brute-force. + +Instead use `argon2` or the `password_hash` function. + +## 2.14 +## 2.15 + +## 2.16 +The app allows admin users to log in over HTTP. This is insecure. Force HTTPS +for the admin_controller and for the installation script. + +## 2.17 +## 2.18 +## 2.19 + +## 2.20 +No anti-automation measures are deployed. + +Needed for email validation, installation database check, login, comment +submissions, etc. + +## 2.21 +## 2.22 +## 2.23 +## 2.24 +## 2.25 +## 2.26 +## 2.27 +## 2.28 +## 2.29 +## 2.30 +## 2.31 +## 2.32 +## 2.33 + +## Other +- `Users::find` is vulnerable to SQL injection. +- The default admin password is generated using a Mersenne Twister, which is + not cryptographically secure. +- Verification of hash equality in login is not done in constant time. -- 2.20.1