Unfortunately, development on fof appears to have stalled (there have only been 5 or so code commits since 2009). Since the code base for the project was so small, I decided to fork it and add a few features/bugfixes. However, once I started looking at the code, it soon became apparent that the security of the software was severely lacking.
There were all sorts of nasties lurking in this code, which I've now fixed, including
- An arbitrary code execution vulnerability (user data passed directly to create_function)
- Numerous privilege checking problems (for example, any user could change another users password, or uninstall the software)
- A vulnerability allowing an attacker to read and write arbitrary data to the database
- a poorly designed and insecure login system (used the hash of the users password as a token)
- password hashes were stored unsalted
- logging system leaked data - logs were publicly viewable, and contained sensitive information (session ids, etc)
- no CSRF prevention
- two open redirect vulnerabilities
- about 30 XSS vulnerabilities
This project was an excellent lesson in how difficult it can be to add security features to insecurely designed software. The only reason doing so was feasible in this case is that the code-base was so small! It was also a good excuse to learn about all sorts of different attacks and how to prevent them. Although it was pretty tedious hardening the code, it ended up being a pretty valuable experience.
For the future, I plan to add the following features
- rewrite the database layer to use PDO (and hence support databases other than mysql), or else use some kind of ORM
- allow new users to register accounts
- add a RESTful api, and possibly also create a new user interface
- perform a lot of code clean up and refactoring. Optimise the javascript parts of the code.
The forked code can be downloaded here:
https://dl.dropbox.com/u/1614464/fof/fof-1.0.1.tar.gz
In the absence of a proper change log, here's the subversion commit log (so you can see what has been changed):
https://dl.dropbox.com/u/1614464/fof/svn_log_1.0.1.txt
I really should move this project (as in the code hosting and bug tracking) onto some kind of hosted service (right now I'm doing all the bug-tracking etc on my local machine). Maybe I'll do that sometime in the future too.
ps: minimum version of php required to run this fork is 5.3 (since I replaced all instances of create_function with lambdas)
ReplyDeleteUnfortunately, tarball is 404 on dropbox... SVN commit log is present.
ReplyDeleteDoes further development was performed, or something?
Ah, my mistake, I must have renamed the file. The latest release is here:
Deletehttps://dl.dropbox.com/u/1614464/fof/fof-1.0.2.tar.gz
I've also moved the code for this project onto github, latest version is available at
https://github.com/robisacommonusername/fofork.git
Haven't had the time to do much work on this, but planning to rewrite the database layer this April.