Make a Lasting Impression

Join the Mailing List

Who's Online

18 user(s) are online (5 user(s) are browsing Support Forums)

Members: 0
Guests: 18

more...
ImpressCMS proudly uses SourceForge
ImpressCMS on Ohloh.net





Auditing Code (security wise)
Home away from home
Joined:
2007/12/4 9:00
From Derbyshire/UK
Posts: 2076
I don't know exactly if this is required or not, but would it be an idea if we could get a full audit of the core?

by this I mean find a professional or someone with enough knowledge to go through the core and audit the code for security issues etc.

would it be worthwhile?

it could be expensive i know, but the cost could be justified providing it isn't going to break the bank as to speak.

just an idle thought on my part, but thought it worthy of discussion.

Posted on: 2007/12/8 15:15
Transfer the post to other applications Transfer


Re: Auditing Code (security wise)
Home away from home
Joined:
2007/12/4 9:00
From in yur serps fukn up yur rankn
Posts: 214
Quote:
would it be worthwhile?


ABSOLUTELY!!!

Posted on: 2007/12/8 15:17
_________________
JMorris (aka James Morris)
ImpressCMS Professional Services: INBOX International inc.
James Morris Online | Frolicking on the playground that is the Internet...
Transfer the post to other applications Transfer


Re: Auditing Code (security wise)
Home away from home
Joined:
2007/12/4 9:00
From Derbyshire/UK
Posts: 2076
just done a quick audit myself.

well i say quick, but it actually took me well over 2 hrs to complete, and that was only a very basic audit looking for 1 particular issue.

issue i have dealt with today is to make sure that header redirects 'header() & redirect_header' are all exited properly with exit();

not an issue for browsers etc, but if the pages were to be viewed via say telnet then it could become an issue as telnet does not understand header functions, so essentially the header redirect is ignored and the rest of the page will be continued on. exiting the script with exit(); after each redirect will prevent that from happening. it protects from those systems like telnet that don't understand the header redirect function.

nothing tedious, just a simple check.

i'll continue with this as i go along, obviously the more complex coding and vulnerabilities will be beyond my knowledge, but for those that i know about, i'll fix as i go.

Posted on: 2007/12/8 19:19
_________________
Live as if you were to die tomorrow, Learn as if you were to live forever

The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together!
Transfer the post to other applications Transfer


Re: Auditing Code (security wise)
Home away from home
Joined:
2007/12/4 9:00
Posts: 4111
Yes, yes, yes!

There are many tools that may assist us in this effort
* http://phpsec.org/projects/phpsecinfo/index.html
* http://www.nessus.org/nessus/
* http://www.security-database.com/tool ... Scanner-1-2-added-to.html

I am not skilled enough in PHP or JS to spot vulnerabilities, so I can only start with tools like these.

Posted on: 2007/12/8 19:40
_________________
Steve
Twitter: @skenow
Facebook: Steve Kenow
Transfer the post to other applications Transfer


Re: Auditing Code (security wise)
Home away from home
Joined:
2007/12/4 9:00
From Montreal | Canada
Posts: 1539
Very nice initiative Vaughan !

Keep up the good work !

And thanks for the links steve.

Posted on: 2007/12/9 3:38
_________________
Marc-André Lanciault
Founder and CEO INBOX International inc.
Co-Founder ImpressCMS
Transfer the post to other applications Transfer


Re: Auditing Code (security wise)
Home away from home
Joined:
2007/12/4 9:00
Posts: 226
Quote:
the pages were to be viewed via say telnet


Do you mean executing the scripts from the command line, as opposed to via HTTP?

I attended a one-day seminar on web applications security last year. I'll dig out my notes and post them.

Posted on: 2007/12/9 11:37
Transfer the post to other applications Transfer


Re: Auditing Code (security wise)
Home away from home
Joined:
2007/12/4 9:00
From Derbyshire/UK
Posts: 2076
yes dave :) but i used telnet as just 1 example.

thanks for the offer of your notes, any information that can help improve security is a bonus.

Posted on: 2007/12/9 19:20
_________________
Live as if you were to die tomorrow, Learn as if you were to live forever

The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together!
Transfer the post to other applications Transfer


Re: Auditing Code (security wise)
Home away from home
Joined:
2007/12/4 9:00
Posts: 226
As promised. here are my notes:

Notes from SPI Dynamics workshop, Richmond, VA, 2007-04-17

This free workshop was obviously intended to encourage people to buy SPI Dynamics' web security products. But the presenter, Brett Sagenich (brett.sagenich AT spidynamics DOT com), was a security engineer, not a salesman, and he provided much information of general use. His point was that web applications present numerous potential security vulnerabilities. He demonstrated actual techniques used by attackers. The reason that he discussed these details is that while they can all be addressed by proper software design, this is very labor-intensive, while SPI Dynamics' tools perform automated detection for these vulnerabilities.

Specific vulnerabilities discussed:

1. Extraneous files such as readme's, documentation, old files
- Provides info to attackers
- Old versions of scripts may have unpatched security issues.

2. Unvalidated user input

3. Visible error messages
- May reveal information useful to attackers
- Software in use
- File system paths
- Variation in error messages in response to an attacker's input can guide him.

4. SQL injection
- iterative (trial and error)
- with error messages
- blind (based on displayed output or presence/absence of output)

5. Session hijacking
- Exploit spoofable session ID, customer ID, etc.

6. XSS (or CSS, cross-site scripting)


---

I can elaborate on some of these items, if there are questions. I know that "Unvalidated user input" is a problem often encountered with XOOPS.

---

By the way, here's a good reference I found on this topic: Open Web Application Security Project (OWASP) <http://owasp.org/>

Posted on: 2007/12/9 22:25
Transfer the post to other applications Transfer


Re: Auditing Code (security wise)
Home away from home
Joined:
2007/12/4 9:00
Posts: 3575

Posted on: 2007/12/10 1:24
Transfer the post to other applications Transfer


Re: Auditing Code (security wise)
Home away from home
Joined:
2007/12/4 9:00
From Derbyshire/UK
Posts: 2076
nice reading, very exhausting tho..

thanks for those dave & dave.

with regards to the conversation I had with Dave last night, it is apparent that the exit(); after redirect_header() is not required as redirect_header function is already terminated with exit(); in the function itself. I'll remove the extra exit(); in a bit for consistency.

my next task that I will look for is in the mysql query statements. In particular making sure that all values in the sql query itself are quoted '' regardless of datatype, this includes alphanumeric values aswell as integer values. this will help decrease SQLi attacks.

for example >


$uid  
$_GET['uid'];
$pass $_GET['pass'];
mysql_query("SELECT * FROM table WHERE uid=$uid AND pass='$pass'");


is very vulnerable (i am not ignoring sanitation here, but just the above is for example of why quotes are necessary)

in the above, if a user provides a value of "1 OR 1=2" the above query then becomes >


SELECT 
FROM table WHERE uid=OR 1=AND pass=''


which means that an attacker could then retrieve an arbitrary row from the db bypassing the password itself.



I think maybe a good idea for me to keep using this thread to write down my intentions and explain the reasoning, + if anyone else would like to also offer suggestions, it's a good place to keep this discussion in 1 place.

Posted on: 2007/12/10 11:04
_________________
Live as if you were to die tomorrow, Learn as if you were to live forever

The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together!
Transfer the post to other applications Transfer






You can view topic.
You cannot start a new topic.
You cannot reply to posts.
You cannot edit your posts.
You cannot delete your posts.
You cannot add new polls.
You cannot vote in polls.
You cannot attach files to posts.
You cannot post without approval.

[Advanced Search]