[Doc] Security Checks and Security Score

This forum is now closed as part of retiring phpBB2.
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

This forum is now closed due to phpBB2.0 being retired.
Post Reply
User avatar
Nuttzy99
Former Team Member
Posts: 4917
Joined: Fri Aug 03, 2001 7:09 am
Location: the 11th dimension
Contact:

[Doc] Security Checks and Security Score

Post by Nuttzy99 » Tue Mar 23, 2004 9:04 pm

Security Checks and Security Score
v0.2.0
03/23/04

Checking the security of a MOD is time consuming and therefore saved until after the automated Validation techniques are performed. We don't want to do this step twice, so we'll do a pass/fail check now and we'll also determine the overall security score. Check the Securing MODs doc for specific details of how the exploits work.

Items to check
For the MOD script and for included PHP files, perform the checks listed. Use the Security Score Grading outline to assign a value to each step checked.
  • Included PHP files - it's easiest to do all 4 checks on one file before moving to the next file.
    • IN_PHPBB - search for IN_PHPBB, and grade appropriately
    • $phpbb_root_path - search for it being defined and grade appropriately
    • GET/POST vars - search for every instance of HTTP_ and grade appropriately
    • SQL Injection check - search for every instance of $db->sql_query, check the SQL for exploits, and grade appropriately
    • scoring - max score for this portion is an 8 out of 8; automatically assign an 8 if there are no included PHP files
  • MOD Script
    • GET/POST vars - search for every instance of HTTP_ and grade appropriately
    • SQL Injection check - search for every instance of $db->sql_query, check the SQL for exploits, and grade appropriately
    • scoring - max score for this portion is a 4 out of 4
Security Score Grading
The purpose of a perfect security score is two fold. First, it guarantees without doubt that known exploitation methods are clearly being blocked, no guessing involved. Second, the blocks are being setup in a standard way so that the MOD Team can rapidly perform Validation thereby increasing efficiency.
  1. IN_PHPBB
    1. fail - not defined in user facing file
    2. fail - not checked for in non-user facing file containing more than just functions
    3. 1 of 2 - not used, but in a file not needing it (we prefer it be used anyway)
    4. 1 of 2 - used but not appearing as first line(s) of non-commented code
    5. 2 of 2 - appears as the first non-commented line(s) in the file
  2. $phpbb_root_path
    1. fail - not used in a user facing file
    2. fail - used in a non-user facing file
    3. 1 of 2 - used but not one of the first non-commented lines in the file
    4. 2 of 2 - appears as one of the first non-commented lines in the file
    5. 2 of 2 - not needed and not used
  3. GET/POST variable validation
    1. fail - htmlspecialchars or intval (floatval, etc.) not used in the general vicinity of variable being assigned
    2. 1 of 2 - proper validation used, but not nice and neatly in the general vicinity of initial variable assignment
    3. 2 of 2 - proper validation is always performed in the immediate area of variable assignment
    4. 2 of 2 - GET/POST are not used
  4. SQL Injection prevention
    1. fail - doesn't replace \' with '' in SQL statements or immediately prior to them
    2. 1 of 2 - properly does replaces, but not always in the immediate area of the SQL statement
    3. 2 of 2 - properly does replaces, and are always done in the immediate area of the SQL statement
    4. 2 of 2 - does not perform any SQL
Last edited by Nuttzy99 on Tue Mar 23, 2004 9:10 pm, edited 2 times in total.
SpellingCow.com - Free spell check service for your forums or any web form!
No Support via PM please!

User avatar
wGEric
Former Team Member
Posts: 8805
Joined: Sun Oct 13, 2002 3:01 am
Location: Friday
Name: Eric Faerber
Contact:

Post by wGEric » Mon Aug 16, 2004 5:58 pm

Releasing to public.

These are what we check for in your MOD security wise. Also how we score your MODs security level (we haven't started to use this yet).
Eric

User avatar
jeevan25
Registered User
Posts: 388
Joined: Thu Dec 30, 2004 2:45 am

Post by jeevan25 » Mon Nov 07, 2005 3:02 am

this will be helpful to releasers and validators.

Post Reply

Return to “[2.0.x] MOD Writers Discussion”

Who is online

Users browsing this forum: No registered users and 5 guests