security audit
during the hackweek, I will conduct an security audit of the code
goal
- having fs.de free of SQL Injections
- having fs.de free of remote code executions
- having fs.de free of path traversal attacks
- reducing the amount of XSS vectors
- hardening further security concepts (like tokens)
result
critial
-
SQL Injection in FoodsaverGateway::xhrGetFoodsaver()
!687 (merged) -
SQL Injection in GeoCleanXhr::masterupdate()
!712 (merged) -
SQL Injection in BellGateway::setBellsAsSeen()
!712 (merged) -
SQL Injection in MessageModel::getBetriebname()
!712 (merged) -
SQL Injection in MessageModel::getChatMembers()
!712 (merged) -
SQL Injection in MessageModel::addConversation()
!712 (merged) -
SQL Injection in MessageModel::loadConversationMessages()
!712 (merged) -
SQL Injection in QuizModel::getExistingSession()
!712 (merged) -
SQL Injection in SettingsModel::logChangedSetting()
!712 (merged) -
SQL Injection in WorkGroupModel::updateTeam()
!712 (merged)
high
-
No Authorization in xhr.php?f=saveBezirk
allows editing ambassadors !714 (merged) -
CSRF with /?page=foodsaver&deleteaccount
!717 (merged) -
CSRF with /?page=region&delete
!719 (merged) -
CSRF with /?page=settings&deleteaccount
!717 (merged) -
CSRF everywhere !715 (merged) #475 (closed) -
very low entropy for token in LoginModel::addPassRequest()
!709 (merged)
medium
-
path traversal with Func::resizeImg()
!723 (merged) -
reflected XSS in xhrapp.php?app=basket&m=anwser
!722 (merged) -
no Authorization in xhrapp.php?app=basket&m=editBasket
!733 (merged) -
path traversal in ?page=email
!723 (merged) -
improper authorization in xhrapp.php?app=foodsaver
!731 (merged) -
no restriction to own regions in ?page=betrieb
!736 (merged) -
improper authorization in xhrapp.php?app=geoclean
!731 (merged) -
improper authorization in xhrapp.php?app=mailbox
!731 (merged) -
reflected XSS in /?page=blog&sub=(add|edit)
withinv_activeSwitcher()
!722 (merged) -
low entropy for token in LoginModel::insertNewUser()
!709 (merged) -
no folder ownership check in(matthias: invalid)xhrapp.php?app=mailbox&m=move
-
improper authorization in xhrapp.php?app=wallpost&m=delpost
!733 (merged) -
no authorization in xhrapp.php?app=wallpost&m=update
!733 (merged) -
no authorization in xhrapp.php?app=wallpost&m=quickreply
!733 (merged) -
reflected XSS in xhrapp.php?app=quiz&m=next
!722 (merged) -
reflected XSS in xhrapp.php?app=geoclean&m=updateGeo
!722 (merged) -
reflected XSS in /?page=quiz&sub=wall
!722 (merged) -
stored XSS in /?page=report&sub=listReports
!722 (merged) -
stored XSS in xhrapp.php?app=report&m=loadReport
!722 (merged) -
CSRF in xhrapp.php?app=betrieb&m=signout
!715 (merged) -
no authorization on searchindex files !727 (merged)
low
-
No Authorization in xhrapp.php?app=groups&m=addtogroup
!713 (merged) -
possible path traversal with Func::img()
!723 (merged) -
possible Stored XSS in xhrapp.php?app=message&m=people
!722 (merged) -
no authorization in xhrapp.php?app=groups&m=sendtogroup
!740 (merged) -
CSRF in xhr.phpf=grabInfo
!715 (merged) -
improper authorization in xhr.php?f=addPinPost
!740 (merged) -
improper authorization in xhr.php?f=update_abholen
!740 (merged) -
no authorization in xhr.php?f=addPhoto
!740 (merged) -
path traversal in xhr.php?f=pictureCrop
!723 (merged) -
path traversal with LoginXhr::resizeAvatar()
!723 (merged) -
path traversal with XhrMethods::pictureResize()
!723 (merged) -
potential path traversal in xhr.php?f=uploadPhoto
!723 (merged) -
no authorization in xhr.php?f=getBezirk
!740 (merged) -
improper authorization in xhr.php?f=acceptRequest
!740 (merged) -
improper authorization in xhr.php?f=warteRequest
!740 (merged) -
no authorization in xhr.php?f=betriebRequest
!740 (merged) -
improper authorization in xhr.php?f=addFetcher
!740 (merged) -
improper authorization in xhrapp.php?app=event
!740 (merged) no authorization in/?page=fairteiler&sub=addFt
-
password length limited in LoginXhr::joinValidate()
!740 (merged) -
potential stored XSS in LoginXhr::joinValidate()
!722 (merged) -
no authorization in xhrapp.php?app=wallpost&m=attachimage
!740 (merged) -
low entropy for token in xhrapp.php?app=settings&m=changemail2
!709 (merged) -
no sandboxing of email iframes in MailboxView::message()
!740 (merged) -
no authorization in xhrapp.php?app=betrieb&m=savedate
!740 (merged) -
no authorization in xhrapp.php?app=betrieb&m=deldate
!740 (merged) -
no recipient restriction in xhrapp.php?app=team&m=contact
!740 (merged) - 9 further low priority ones undisclosed in #489