v0.2.0
03/23/04
Checking the security of a MOD is time consuming and therefore saved until after the automated Validation techniques are performed. We don't want to do this step twice, so we'll do a pass/fail check now and we'll also determine the overall security score. Check the Securing MODs doc for specific details of how the exploits work.
Items to check
For the MOD script and for included PHP files, perform the checks listed. Use the Security Score Grading outline to assign a value to each step checked.
- Included PHP files - it's easiest to do all 4 checks on one file before moving to the next file.
- IN_PHPBB - search for IN_PHPBB, and grade appropriately
- $phpbb_root_path - search for it being defined and grade appropriately
- GET/POST vars - search for every instance of HTTP_ and grade appropriately
- SQL Injection check - search for every instance of $db->sql_query, check the SQL for exploits, and grade appropriately
- scoring - max score for this portion is an 8 out of 8; automatically assign an 8 if there are no included PHP files
- MOD Script
- GET/POST vars - search for every instance of HTTP_ and grade appropriately
- SQL Injection check - search for every instance of $db->sql_query, check the SQL for exploits, and grade appropriately
- scoring - max score for this portion is a 4 out of 4
The purpose of a perfect security score is two fold. First, it guarantees without doubt that known exploitation methods are clearly being blocked, no guessing involved. Second, the blocks are being setup in a standard way so that the MOD Team can rapidly perform Validation thereby increasing efficiency.
- IN_PHPBB
- fail - not defined in user facing file
- fail - not checked for in non-user facing file containing more than just functions
- 1 of 2 - not used, but in a file not needing it (we prefer it be used anyway)
- 1 of 2 - used but not appearing as first line(s) of non-commented code
- 2 of 2 - appears as the first non-commented line(s) in the file
- $phpbb_root_path
- fail - not used in a user facing file
- fail - used in a non-user facing file
- 1 of 2 - used but not one of the first non-commented lines in the file
- 2 of 2 - appears as one of the first non-commented lines in the file
- 2 of 2 - not needed and not used
- GET/POST variable validation
- fail - htmlspecialchars or intval (floatval, etc.) not used in the general vicinity of variable being assigned
- 1 of 2 - proper validation used, but not nice and neatly in the general vicinity of initial variable assignment
- 2 of 2 - proper validation is always performed in the immediate area of variable assignment
- 2 of 2 - GET/POST are not used
- SQL Injection prevention
- fail - doesn't replace \' with '' in SQL statements or immediately prior to them
- 1 of 2 - properly does replaces, but not always in the immediate area of the SQL statement
- 2 of 2 - properly does replaces, and are always done in the immediate area of the SQL statement
- 2 of 2 - does not perform any SQL
