\begin{enumerate}[label=(\Alph*)]
\item 50 cases of \XSS{} vurnerabilities, all labeled \textbf{critical}, because none of the \CMS{}'s forms include nonces / protection against \XSS{} is indeed missing.
\item \textbf{Password management}. In a user password reset form in \code{reset.php}, if the resetting fails, the password the user just entered reappears in the password field. This is not a database-retrieved password, and hence not actually as \textbf{critical} as Fortify labels it, but of course bad practice nonetheless.
- \item In the \textbf{privact violation} category, Fortify found errors and warnings printed back to the browser, and labelled it \textbf{critical}. However, this happens in the installer script, which we have decided to treat separately, as explained earlier.
+ \item In the \textbf{privacy violation} category, Fortify found errors and warnings printed back to the browser, and labelled it \textbf{critical}. However, this happens in the installer script, which we have decided to treat separately, as explained earlier.
\item \textbf{\SQL{} injection} attacks are possible on the installer script, labelled \textbf{critical}. Yet again: the installer script.
\item \textbf{Cookie security}: the \code{HttpOnly} header is not set, labelled \textbf{high}.
\item \textbf{Privacy violation}: \HTML{} forms don't disable autocompletion. Labelled \textbf{high}. However, autocompletion of \HTML{} forms by means of the \code{autocompletion="none"} attribute notoriously doesn't really work. The larger problem is that the post/redirect/get pattern is not followed, as stated above at our analysis of OWASP requirement (9.1).
\begin{table}[th!]
\centering
%\renewcommand{\arraystretch}{1}
-\begin{tabular}{@{}lllllllllll@{}}
+\begin{tabular}{@{}llllllllll@{}}
\toprule
\# &
\textbf{V2} &
\textbf{V3} &
\textbf{V4} &
-\textbf{V5} &
+\textbf{V5 (6)} &
\textbf{V7} &
\textbf{V8} &
\textbf{V9} &
-\textbf{V12} &
-\textbf{V17} \\
+\textbf{V11} \\
\midrule
-% V2 V3 V4 V5 V7 V8 V9 V12 V17
- 1 & \X & \p & \p & \p & & \X & \F{B}\X & \X & \TODO \\
- 2 & \F{B}\p & \p & & & \p & \p & & \p & \TODO \\
- 3 & & \X & & \X & & \X & \p & & \TODO \\
- 4 & \p & & \p & & & \X & \X & \X & \TODO \\
- 5 & & \p & \p & \p & & \p & \p & \p & \TODO \\
- 6 & \X & \p & & & & \p & & \X & \TODO \\
- 7 & \p & \X & & & \TODO & \p & \p & \X & \TODO \\
- 8 & \p & & \p & & & & & \X & \\
- 9 & \X & \p & \X & & & & \p & & \TODO \\
-10 & & \X & \p & \X & & \X & \p & & \TODO \\
-11 & & \p & & \p & & & \p & & \TODO \\
-12 & \X & \X & \X & \p & & & & & \\
-13 & \X & \X & \F{A}\X & \p & & \X & & & \\
-14 & & & \X & \p & & & & & \\
-15 & & & \X & \X & & & & & \\
-16 & \X & & \X & \p & & & & & \\
-17 & \p & & & \p & & & & & \\
-18 & \X & & & \X & & & & & \\
-19 & \p & & & \X & & & & & \\
-20 & \X & & & \p & & & & & \\
-21 & \X & & & \p & & & & & \\
-22 & \p & & & \X & & & & & \\
-23 & & & & \X & & & & & \\
-24 & & & & \p & & & & & \\
-25 & \X & & & \p & & & & & \\
-26 & & & & \p & & & & & \\
-27 & \X & & & & & & & & \\
-28 & \X & & & & & & & & \\
-29 & \X & & & & & & & & \\
-30 & & & & & & & & & \\
-31 & & & & & & & & & \\
-32 & \X & & & & & & & & \\
-33 & \p & & & & & & & & \\
+% V2 V3 V4 V5 V7 V8 V9 V11
+ 1 & \X & \p & \p & \p & & \X & \F{B}\X & \X \\
+ 2 & \F{B}\p & \p & & & \p & \p & & \p \\
+ 3 & & \X & & \X & & \X & \p & \\
+ 4 & \p & & \p & & & \X & \X & \X \\
+ 5 & & \p & \p & \p & & \p & \p & \p \\
+ 6 & \X & \p & & & \X & \p & & \X \\
+ 7 & \p & \X & & & \p & \p & \p & \X \\
+ 8 & \p & & \p & & & & & \X \\
+ 9 & \X & \p & \X & & \p & & \p & \\
+10 & & \X & \p & \X & & \X & \p & \\
+11 & & \p & & \p & & & \p & \\
+12 & \X & \X & \X & \p & \X & & & \\
+13 & \X & \X & \F{A}\X & \p & \X & \X & & \\
+14 & & & \X & \p & \p & & & \\
+15 & & & \X & \X & & & & \\
+16 & \X & & \X & \p & & & & \\
+17 & \p & & & \p & & & & \\
+18 & \X & & & \X & & & & \\
+19 & \p & & & \X & & & & \\
+20 & \X & & & \p & & & & \\
+21 & \X & & & \p & & & & \\
+22 & \p & & & \X & & & & \\
+23 & & & & \X & & & & \\
+24 & & & & \p & & & & \\
+25 & \X & & & \p & & & & \\
+26 & & & & \p & & & & \\
+27 & \X & & & & & & & \\
+28 & \X & & & & & & & \\
+29 & \X & & & & & & & \\
+30 & & & & & & & & \\
+31 & & & & & & & & \\
+32 & \X & & & & & & & \\
+33 & \p & & & & & & & \\
\bottomrule
\end{tabular}
\caption{Summary of our results. Fortify's findings are outlined and labelled, see our analysis above.}
repositories / ssproject1617.git / commitdiff