Paragon Initiative Enterprises conducted a comprehensive code review of the JPaseto libraary and discovered one medium-severity vulnerability, which was promptly fixed.
Code Review Services
"Application security above and beyond compliance."
Independent Source Code Auditing
In addition to over a decade of software development experience, members of the Paragon Initiative Enterprises team actively research the security of high value free and open source software projects. We possess a deep understanding of information security, risk management, and software vulnerabilities.
We Specialize in Application Security
We don't limit our auditing services to an automated scanner and a rubber stamp. We favor the careful eye and steady hand approach. In addition to leading to better security, we find that this also leads to a better understanding of your application as a whole, which reduces the rate of false positives.
From Code Injection to Side-Channel Cryptanalysis
Our team has experience at every level of modern application development. We frequently find vulnerabilitiess that other security professionals overlooked (or lacked the expertise to identify or mitigate).
We start with the low-hanging fruit (e.g. SQL injection, local/remote file inclusion, cross-site scripting, directory trasversal, LDAP/XPath injection, unvalidated file uploads, missing access controls, sensitive information disclosure) and then tackle the more sophisticated security risks (PHP object injection, weak random number generators, insecure cryptographic protocol design or selection, cryptographic side-channels, resource exhaustion a.k.a. Denial of Service, insecure password storage, etc.) until we are confident that your application is iron-clad.
The Code Auditing Process
When you hire Paragon Initiative Enterprises to perform a code audit on one of your business applications, we adhere to a simple and proven process to find and help your team remove the vulnerabilities in your platform:
- You provide us with the latest commit or snapshot of your project. This can be accomplished by giving us temporary access to your Git repository or by emailing us a tarball encrypted with our security team's GnuPG public key. We have also worked in testing environments over SSH. We're flexible on the details.
- We perform our vulnerability assessment for a previously agreed upon time period.
- We compile an audit report with any vulnerabilities or security concerns we discover in your code base. If we do not identify any vulnerabilities, the process stops here.
- We work with your team to fix the vulnerabilities. Often, we will send patches or pull requests that address specific issues.
- Once all of the vulnerabilities we identified are resolved, we will verify that they have been resolved and issue a revised audit report that indicates their resolution.
Recent Security Advisories
-
2016-06-10 CVE-2016-5726, CVE-2016-5727 - Simple Machines Forum - PHP Object Injection
There are several instances where data pulled from
$_POST(i.e. inside aforeachloop) is passed directly tounserialize(). As a consequence, SMF is vulnerable to PHP Object Injection and possibly remote code execution. -
2015-11-23 CVE-2015-7503 - Zend\Crypt - RSA Padding Oracle (Plaintext Recovery)
The
Zend\Crypt\RSA\PublicKeyclass in Zend Framework's cryptography library in affected versions of Zend Framework is vulnerable to padding oracle attacks, as first demonstrated by Daniel Bleichenbacher in 1998. The RSA padding oracle attack was further optimized by Steel, et al. in 2012. This vulnerability is specific to PKCS1v1.5 padding; RSA-OAEP is unaffected.Back-of-the-envelope math: If you can perform 25 attempts per second using the Steel method, you can decrypt any message encrypted with 1024-bit RSA using a vulnerable version of Zend\Crypt in about 10 minutes (median).
-
2015-11-08 Joomla CMS - JCrypt - Multiple Cryptography Vulnerabilities
Our chief development officer looked at the cryptography library provided by the Joomla CMS and found numerous cryptography flaws; the most critical (pertaining to
JCryptCipherSimple) being a home-grown cipher best described asXOR-ECB. It's relatively trivial to recover the key if you know the plaintext (especially if the plaintext is at least 256 characters long).The usual candidates (chosen ciphertext attacks, an insecure fallback in the CSPRNG) for security vulnerabilities in PHP cryptographys were also found.
Total investigation time: 30 minutes. Imagine what we can do for the security of your projects with days?
-
2015-08-27 CVE-2015-5687 - PHP Object Injection in AnchorCMS v0.9.2 and earlier
AnchorCMS is a popular blogging platform that focuses on being lightweight and super simple. We discovered and unfortunate vulnerability that is both easy to exploit remotely and has a high impact.
-
2015-06-23 Minds.com - Multiple Vulnerabilities
Minds.com is a social network and mobile app that claims to offer encrypted chat to its users. After a brief investigation, we discovered that the clients would blindly accept arbitrary RSA public keys from the server, and it encrypted messages with RSA with PKCS1 padding.
-
2015-06-21 Tutanota Encrypted Email Service - Malleable Ciphertext
Tutanota, which offers a free encrypted email app, does not authenticate its ciphertexts with a MAC. Two others (Steve Weis and Richard) had already alerted the development team to this implementation flaw and their report was dismissed.
-
2015-06-09 Cryptographic Vulnerabilities in RNCryptor-PHP
RNCryptor's MAC validation suffers from timing leaks and type confusion vulnerabilities.
-
2015-06-04 Friendica - Weak Cryptography Implementations
There were two symmetric cryptography strategies bundled with Friendica. One used ECB mode, the other used CBC mode. Neither implementation used encryption or authentication correctly.
-
2015-05-02 Yubikey Library Lacks CSPRNG, Has Timing Side-Channels
Laravel 5 package for integrating with Yubikey lacked a CSPRNG for nonce generation. Furthermore, it was comparing HMAC-SHA1 signatures with PHP's
==operator. We informed the maintainer and sent a pull request to fix these issues. -
2015-04-19 Laravel - PHP Object Injection - 4.1, 4.2, 5.0, master
Laravel developers that (a) stored their session state inside of a cookie and (b) turned session encryption off were vulnerable to PHP Object Injection, which can lead to Remote Code Execution under the right conditions.
Recent Code Audits
-
2020-04-25 JPaseto Audit
-
2018-08-15 Qbix Platform
One of our clients built an app upon a platform called Qbix and hired us to do a pre-launch code audit of their app as well as Qbix's platform.
-
2016-04-04 Bytejail Core Audit
The Bytejailcore audit is our most comprehensive investigation to date, and we are happy to say that we did not find any security-affecting vulnerabilities or cryptographic weaknesses.
-
2016-04-04 Bytejail Client Audit
Our investigation of the Bytejail client software did not uncover any security vulnerabilities, cryptographic weaknesses, or anything resembling a backdoor. User's sensitive credentials are never transmitted, and even error messages are anonymized and encrypted before they are sent to the developers.
-
2016-04-04 Bytejail Backend Audit
After a comprehensive code review of the TahoeSmart and TahoeWorker projects, we did not identify any security vulnerabilities in either project. However, our investigation did uncover a few helper classes that could benefit from security enhancements.
-
2016-04-04 Bytejail Console Audit
After reviewing the Bytejail console source code, we have identified three security issues: one of medium severity and two of low severity. All three are related to cryptography and believed to be difficult for an attacker to exploit.
-
2016-01-03 Luís Cobucci's JWT library Audit
We did not find any security vulnerabilities in the JWT library itself; however, we did find a previously undiscovered cryptographic vulnerability in one of its dependencies.
-
2015-07-23 NaclKeys Audit
Paragon Initiative Enterprises conducted a comprehensive code review of the NaclKeys project and discovered no security vulnerabilities.