Closed captain118 closed 2 years ago
agentphoenix
commented
4 years ago @captain118 We don't have any CSP rules currently. If there are specific changes that should be made to the codebase to allow for better CSP rules, let me know what they are and we can discuss if it's viable for Nova 2.
captain118
commented
4 years ago I'm not an expert by any means when it comes to CSP rules and I've only done a bit of PHP but I'll see if I can figure out what is requiring these unsafe directives. In the mean time, try scanning any server that is hosting nova using the Mozilla observatory (https://observatory.mozilla.org/). The observatory will help you create .htaccess files to better secure your sites from things like cross site scripting. Then to better track problems you can use something like report-uri.com. If you would like I a private channel I'll send you what I have for an htaccess file for apache that works with nova. The best I have been able to get it so far is a B+ which is pretty good but still has a little ways to go.
captain118
commented
4 years ago One thing that came up during my scans is Nova 2 uses jQuery@1.8.2 and there are several vulnerabilities posted for jquery 1.8.2. https://snyk.io/test/npm/jquery/1.8.2 But I'm pretty sure this isn't actually related to the CSP security settings
captain118
commented
4 years ago The vulnerability scanner that I ran reported these issues below.
All of them are related to CSP. The ones that are labeled as xss and eval are the ones that I think are most related to the CSP rules (though there are some inline scripts that I think effect it as well).
I did review most of the code associated with the listed vulnerabilities and tried to determine which ones were likely false positives. Like I said I'm fairly new at this so forgive me if I didn't catch some. I also started looking at the more secure alternative methods, to see if I could update the code myself but thats going to take some time. Until I can assist with patches, I thought it might be useful to have this available to you.
If you would find it useful I can pull version 3 and run the vuln scanner on it as well.
Suspected True Positives:
1.
{
"source_name": [
"$return_preg_replace"
],
"source_line": [
830
],
"source_column": [
19638
],
"source_file": [
"\/home\/kali\/data\/nova\/source\/nova\/ci\/core\/Loader.php"
],
"sink_name": "eval",
"sink_line": 830,
"sink_column": 19638,
"sink_file": "\/home\/kali\/data\/nova\/source\/nova\/ci\/core\/Loader.php",
"vuln_name": "eval code_injection",
"vuln_cwe": "CWE_95",
"vuln_id": "09d934434658cf20529e6f515c270e98dd20251345ec1835a0181231d5a6c5a0",
"vuln_type": "taint-style"
}
2.
{
"source_name": [
"$return_eval"
],
"source_line": [
830
],
"source_column": [
19638
],
"source_file": [
"\/home\/kali\/data\/nova\/source\/nova\/ci\/core\/Loader.php"
],
"sink_name": "echo",
"sink_line": 830,
"sink_column": 19638,
"sink_file": "\/home\/kali\/data\/nova\/source\/nova\/ci\/core\/Loader.php",
"vuln_name": "xss",
"vuln_cwe": "CWE_79",
"vuln_id": "eb66eec4eedffb4763379e971824040ebd6f8c93b5c250d66f9d44738bf687d5",
"vuln_type": "taint-style"
}
3.
{
"source_name": [
"$return_preg_replace"
],
"source_line": [
830
],
"source_column": [
19638
],
"source_file": [
"\/home\/kali\/data\/nova\/source\/nova\/ci\/core"
],
"sink_name": "eval",
"sink_line": 830,
"sink_column": 19638,
"sink_file": "\/home\/kali\/data\/nova\/source\/nova\/ci\/core\/Loader.php",
"vuln_name": "eval code_injection",
"vuln_cwe": "CWE_95",
"vuln_id": "72cbd1829d74d8cf35171ccfc741d9f6871ab1062f533970046360c312ac9c10",
"vuln_type": "taint-style"
}
4.
{
"source_name": [
"$return_eval"
],
"source_line": [
830
],
"source_column": [
19638
],
"source_file": [
"\/home\/kali\/data\/nova\/source\/nova\/ci\/core"
],
"sink_name": "echo",
"sink_line": 830,
"sink_column": 19638,
"sink_file": "\/home\/kali\/data\/nova\/source\/nova\/ci\/core\/Loader.php",
"vuln_name": "xss",
"vuln_cwe": "CWE_79",
"vuln_id": "9268b783ccdc1071e494cd65a7ff843ed24843de2066c6e09e0334d396b53d3f",
"vuln_type": "taint-style"
}
5.
{
"source_name": [
"$output"
],
"source_line": [
462
],
"source_column": [
10541
],
"source_file": [
"\/home\/kali\/data\/nova\/source\/nova\/ci\/core\/Output.php"
],
"sink_name": "fwrite",
"sink_line": 491,
"sink_column": 11217,
"sink_file": "\/home\/kali\/data\/nova\/source\/nova\/ci\/core\/Output.php",
"vuln_name": "idor",
"vuln_cwe": "CWE_862",
"vuln_id": "5c9342b50f407b6451aee54ea3388d585d4ac516d558053597c67de539b8e3b4",
"vuln_type": "taint-style"
}
6.
{
"source_name": [
"$output",
"$output"
],
"source_line": [
368,
325
],
"source_column": [
8063,
6645
],
"source_file": [
"\/home\/kali\/data\/nova\/source\/nova\/ci\/core\/Output.php",
"\/home\/kali\/data\/nova\/source\/nova\/ci\/core\/Output.php"
],
"sink_name": "echo",
"sink_line": 403,
"sink_column": 9002,
"sink_file": "\/home\/kali\/data\/nova\/source\/nova\/ci\/core\/Output.php",
"vuln_name": "xss",
"vuln_cwe": "CWE_79",
"vuln_id": "2d1c49300e511f718b830e369a1680360180ac6b8f0a90990a733a68627e8a61",
"vuln_type": "taint-style"
}
7.
{
"source_name": [
"$output",
"$output",
"$output",
"$output"
],
"source_line": [
428,
432,
368,
325
],
"source_column": [
9816,
9867,
8063,
6645
],
"source_file": [
"\/home\/kali\/data\/nova\/source\/nova\/ci\/core\/Output.php",
"\/home\/kali\/data\/nova\/source\/nova\/ci\/core\/Output.php",
"\/home\/kali\/data\/nova\/source\/nova\/ci\/core\/Output.php",
"\/home\/kali\/data\/nova\/source\/nova\/ci\/core\/Output.php"
],
"sink_name": "echo",
"sink_line": 446,
"sink_column": 10191,
"sink_file": "\/home\/kali\/data\/nova\/source\/nova\/ci\/core\/Output.php",
"vuln_name": "xss",
"vuln_cwe": "CWE_79",
"vuln_id": "8e10109be4c04b968f8280f8792a42db6268d3e3bb68eedecce39959426acf4e",
"vuln_type": "taint-style"
}
8.
{
"source_name": [
"$row->user_data"
],
"source_line": [
345
],
"source_column": [
6362
],
"source_file": [
"\/home\/kali\/data\/nova\/source\/nova\/modules\/core\/models\/nova_users_model.php"
],
"sink_name": "unserialize",
"sink_line": 345,
"sink_column": 6362,
"sink_file": "\/home\/kali\/data\/nova\/source\/nova\/modules\/core\/models\/nova_users_model.php",
"vuln_name": "code_injection",
"vuln_cwe": "CWE_95",
"vuln_id": "2a9d986d9a03ae4186126b1fe129cf8bfd913acbce888825b8c3bb4938684933",
"vuln_type": "taint-style"
},
9.
{
"source_name": [
"$fread_return"
],
"source_line": [
223
],
"source_column": [
6364
],
"source_file": [
"\/home\/kali\/data\/nova\/source\/nova\/modules\/swiftmailer\/classes\/Swift\/ByteStream\/FileByteStream.php"
],
"sink_name": "fwrite",
"sink_line": 223,
"sink_column": 6364,
"sink_file": "\/home\/kali\/data\/nova\/source\/nova\/modules\/swiftmailer\/classes\/Swift\/ByteStream\/FileByteStream.php",
"vuln_name": "idor",
"vuln_cwe": "CWE_862",
"vuln_id": "2a022dba864afe6ee017dce042bdf47dec7de38cc32eaa6bcbcb5a43d3598f99",
"vuln_type": "taint-style"
},
10.
{
"source_name": [
"$file_get_contents_return"
],
"source_line": [
167
],
"source_column": [
4435
],
"source_file": [
"\/home\/kali\/data\/nova\/source\/nova\/modules\/swiftmailer\/classes\/Swift\/FileSpool.php"
],
"sink_name": "unserialize",
"sink_line": 167,
"sink_column": 4435,
"sink_file": "\/home\/kali\/data\/nova\/source\/nova\/modules\/swiftmailer\/classes\/Swift\/FileSpool.php",
"vuln_name": "code_injection",
"vuln_cwe": "CWE_95",
"vuln_id": "a38cebfe642fc1ad92d8bcddbaec92c2887cd15e680eaa7ec630c44d9832d974",
"vuln_type": "taint-style"
}
Unknown
1.
{
"source_name": [
"$file"
],
"source_line": [
799
],
"source_column": [
18508
],
"source_file": [
"\/home\/kali\/data\/nova\/source\/nova\/ci\/libraries\/Upload.php"
],
"sink_name": "fopen",
"sink_line": 828,
"sink_column": 19856,
"sink_file": "\/home\/kali\/data\/nova\/source\/nova\/ci\/libraries\/Upload.php",
"vuln_name": "idor",
"vuln_cwe": "CWE_862",
"vuln_id": "9ce630029af8d09ad51f15e44fa1634a95efcc0d2c39f6d5bf41c03510539edd",
"vuln_type": "taint-style"
}
2.
{
"source_name": [
"$file"
],
"source_line": [
828
],
"source_column": [
19856
],
"source_file": [
"\/home\/kali\/data\/nova\/source\/nova\/ci\/libraries\/Upload.php"
],
"sink_name": "fread",
"sink_line": 833,
"sink_column": 19991,
"sink_file": "\/home\/kali\/data\/nova\/source\/nova\/ci\/libraries\/Upload.php",
"vuln_name": "file_disclosure",
"vuln_cwe": "CWE_200",
"vuln_id": "2272fb6be170b15a15299b654dfeda296ad72616507d295998d972e9e31ed442",
"vuln_type": "taint-style"
},
{
"source_name": [
"$file"
],
"source_line": [
799
],
"source_column": [
18508
],
"source_file": [
"\/home\/kali\/data\/nova\/source\/nova\/ci\/libraries\/Upload.php"
],
"sink_name": "file_get_contents",
"sink_line": 850,
"sink_column": 20509,
"sink_file": "\/home\/kali\/data\/nova\/source\/nova\/ci\/libraries\/Upload.php",
"vuln_name": "file_disclosure",
"vuln_cwe": "CWE_200",
"vuln_id": "4b5f3ed9d58ebf60055d632a19a7ee2471fcbd65bc2f69491954cfd053030485",
"vuln_type": "taint-style"
},
{
"source_name": [
"$this->file_temp"
],
"source_line": [
35
],
"source_column": [
973
],
"source_file": [
"\/home\/kali\/data\/nova\/source\/nova\/ci\/libraries\/Upload.php"
],
"sink_name": "copy",
"sink_line": 315,
"sink_column": 8256,
"sink_file": "\/home\/kali\/data\/nova\/source\/nova\/ci\/libraries\/Upload.php",
"vuln_name": "idor",
"vuln_cwe": "CWE_862",
"vuln_id": "5b79acc9b47357a01a9b978474f2c2383ab86ab4c49c960b1fd26a92334702db",
"vuln_type": "taint-style"
},
{
"source_name": [
"$this->file_temp"
],
"source_line": [
35
],
"source_column": [
973
],
"source_file": [
"\/home\/kali\/data\/nova\/source\/nova\/ci\/libraries\/Upload.php"
],
"sink_name": "move_uploaded_file",
"sink_line": 317,
"sink_column": 8332,
"sink_file": "\/home\/kali\/data\/nova\/source\/nova\/ci\/libraries\/Upload.php",
"vuln_name": "idor",
"vuln_cwe": "CWE_862",
"vuln_id": "bf45fbfc0fdedefe14f18c508ca8a0545a50f8cb75b5b8d6349571cfcc997fb2",
"vuln_type": "taint-style"
},
{
"source_name": [
"$this->file_name"
],
"source_line": [
36
],
"source_column": [
1001
],
"source_file": [
"\/home\/kali\/data\/nova\/source\/nova\/ci\/libraries\/Upload.php"
],
"sink_name": "move_uploaded_file",
"sink_line": 317,
"sink_column": 8332,
"sink_file": "\/home\/kali\/data\/nova\/source\/nova\/ci\/libraries\/Upload.php",
"vuln_name": "idor",
"vuln_cwe": "CWE_862",
"vuln_id": "771a7bf708ad7d8a1b2efe369f29f2adf045c5a346536b37ab74517eb248ea63",
"vuln_type": "taint-style"
},
{
"source_name": [
"$file"
],
"source_line": [
291
],
"source_column": [
7551
],
"source_file": [
"\/home\/kali\/data\/nova\/source\/nova\/ci\/libraries\/Zip.php"
],
"sink_name": "file_get_contents",
"sink_line": 304,
"sink_column": 7779,
"sink_file": "\/home\/kali\/data\/nova\/source\/nova\/ci\/libraries\/Zip.php",
"vuln_name": "file_disclosure",
"vuln_cwe": "CWE_200",
"vuln_id": "f5253687ed2f31df2702dbb4f5e4bef7d833cef236c31ddd76b9309bd18b711d",
"vuln_type": "taint-style"
},
{
"source_name": [
"$line"
],
"source_line": [
966
],
"source_column": [
27866
],
"source_file": [
"\/home\/kali\/data\/nova\/source\/nova\/modules\/core\/controllers\/nova_install.php"
],
"sink_name": "fwrite",
"sink_line": 968,
"sink_column": 27910,
"sink_file": "\/home\/kali\/data\/nova\/source\/nova\/modules\/core\/controllers\/nova_install.php",
"vuln_name": "idor",
"vuln_cwe": "CWE_862",
"vuln_id": "2a755a98287ff3b67c4b1f2cb58f6dce95af72f60b26efa7bb5fa6c368a740d6",
"vuln_type": "taint-style"
},
Suspected False Positives:
1.
{
"vuln_rule": "MUST_VERIFY_DEFINITION",
"vuln_name": "security misconfiguration",
"vuln_line": 287,
"vuln_column": 6428,
"vuln_file": "\/home\/kali\/data\/nova\/source\/nova\/ci\/core\/Input.php",
"vuln_description": "cookie setted without secure or httponly flags",
"vuln_cwe": "CWE_1004",
"vuln_id": "12753b922227920c5ed72839ff6e7fede78ff3aaa914675d33252c71a6aea42c",
"vuln_type": "custom"
}
2.
{
"vuln_rule": "MUST_VERIFY_DEFINITION",
"vuln_name": "security misconfiguration",
"vuln_line": 193,
"vuln_column": 4612,
"vuln_file": "\/home\/kali\/data\/nova\/source\/nova\/ci\/core\/Security.php",
"vuln_description": "cookie setted without secure or httponly flags",
"vuln_cwe": "CWE_1004",
"vuln_id": "c429026216aa7d6356aedeeee7ef0a9eac4e3a57d3957ab9d6a6533aa604a60d",
"vuln_type": "custom"
},
3.
{
"vuln_rule": "MUST_VERIFY_DEFINITION",
"vuln_name": "security misconfiguration",
"vuln_line": 426,
"vuln_column": 12000,
"vuln_file": "\/home\/kali\/data\/nova\/source\/nova\/ci\/libraries\/Session.php",
"vuln_description": "cookie setted without secure or httponly flags",
"vuln_cwe": "CWE_1004",
"vuln_id": "f26d868fecd177a706580604e97113454ae54317e3ba647113b94c24406a6a6d",
"vuln_type": "custom"
},
4.
{
"vuln_rule": "MUST_VERIFY_DEFINITION",
"vuln_name": "security misconfiguration",
"vuln_line": 682,
"vuln_column": 17263,
"vuln_file": "\/home\/kali\/data\/nova\/source\/nova\/ci\/libraries\/Session.php",
"vuln_description": "cookie setted without secure or httponly flags",
"vuln_cwe": "CWE_1004",
"vuln_id": "4347f3ba11afbe85fc903622d461df7edda01d4d35d3580bf674d1ef3d014783",
"vuln_type": "custom"
},
Thanks for running that.
Anything that's in nova/ci is beyond our control. There was someone who had offered to do an upgrade to CI 3, but that hasn't materialized as of yet.
The same goes for jQuery. It's probably relatively safe to make some jQuery updates, but that would involve going through the changelogs for jQuery and identifying any potential code that needs to be updated within Nova 2.
I've been trying to better secure our nova server by adding CSP rules however it appears that both unsafe-inline and unsafe-eval is required for several directives. This is less than ideal. Do you have a CSP ruleset that best secures web servers hosting nova?