search

Raikia / FiercePhish

FiercePhish is a full-fledged phishing framework to manage all phishing engagements. It allows you to track separate phishing campaigns, schedule sending of emails, and much more.
https://github.com/Raikia/FiercePhish/wiki
GNU General Public License v3.0
1.32k stars 250 forks source link

Dev branch: "Parse as PHP" option not properly closing PHP code #54

Open octagons opened 7 years ago

octagons commented 7 years ago

The listing below causes an uploaded file to include the string "<?php" at the end of the file if the "parse as PHP" option is selected for the file hosting action.

https://github.com/Raikia/FiercePhish/blob/c73d4ad7d787465913dcd00f9a06d56c7cd1baa0/app/HostedFile.php#L36

As a temporary workaround, I changed the line to the following:

eval('?> ' . $code . '<?php ?>');

This is clearly not a permanent solution, but it is unclear what functionality was originally intended in its current implementation.

Raikia commented 7 years ago

I haven't had an issue here before yet, but that may be due to insufficient testing since its an early addition in the dev branch. Do you have an example PHP file you are hosting that I can test with?