Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PHP results - questions for understanding the issues #16

Open
BurninLeo opened this issue May 7, 2021 · 0 comments
Open

PHP results - questions for understanding the issues #16

BurninLeo opened this issue May 7, 2021 · 0 comments

Comments

@BurninLeo
Copy link

BurninLeo commented May 7, 2021

Thank you for providing the visual code grepper! PHP code allows for nasty fails, and it is good to have a tool to direct attention at critical code lines.

After running VCG over my PHP project, I received some warnings about potential issues that I do not understand properly. I would greatly appreaciate some hints on why these lines might be dangerous:

(1) MEDIUM: Potentially Unsafe Code - Application Variable Used on System Command Line
Line: 162 - C:....\file01.php
The application appears to allow the use of an unvalidated variable when executing a command. Carry out a manual check to determine whether the variable is user-controlled.
($dir === 'system')

To my eye, this looks like a simple comparison between two strings.

(2) MEDIUM: Potentially Unsafe Code - Potential XSS
Line: 87 - C:...\file01.php
The application appears to reflect data to the screen with no apparent validation or sanitisation. It was not clear if this variable is controlled by the user.
echo 'Error 500: The file '.htmlspecialchars($uri).' is not within '.htmlspecialchars($ownFolder);

htmlspecialchars() is often used in PHP for creating output that won't reflect JavaScript and other HTML contents. Therefore, I had assumed that would be "apparent ... sanitisation". Would it not?

(3) STANDARD: Potentially Unsafe Code - system
Line: 199 - C:...\file01.php
This function allows execution of commands. It is dangerous with user controlled parameters and may facilitate direct attacks against the web server.
ini_set('error_log', 'system/logfiles/errorlog.txt');

Again, this looks like a simple function call on ini_set(), but VCG says that "this function allows execution of commands". It that a general advice against ini_set() or die VCG interpret the path on the right-hand side to be a potential issue?

(4) STANDARD: Potentially Unsafe Code - system
Line: 199 - C:...\file02.php
This function allows execution of commands. It is dangerous with user controlled parameters and may facilitate direct attacks against the web server.
$f = fopen('../system/logfiles/somefile.txt', 'a');

Same here: Is this a simple warning against fopen() (which would be perfectly legitimate)?

Thank you for some advice on better understanding the code grepper's output!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant