search

kmcdon83 / DVWA

Damn Vulnerable Web Application (DVWA)
http://dvwa.co.uk
GNU General Public License v3.0
0 stars 1 forks source link

CX SQL_Injection @ dvwa/includes/DBMS/PGSQL.php [master] #16

Open ghost opened 3 years ago

ghost commented 3 years ago

SQL_Injection issue exists @ dvwa/includes/DBMS/PGSQL.php in branch master

Method <?php at line 1 of dvwa\includes\DBMS\PGSQL.php gets user input from the _SERVER element. This element’s value then flows through the code without being properly sanitized or validated, and is eventually used in a database query in method <?php at line 1 of dvwa\includes\DBMS\PGSQL.php. This may enable an SQL Injection attack.

Severity: High

CWE:89

Vulnerability details and guidance

Internal Guidance

Checkmarx

Training Recommended Fix

Lines: 56

Code (Line #56):

$baseUrl = 'http://'.$_SERVER[ 'SERVER_NAME' ].$_SERVER[ 'PHP_SELF' ];
ghost commented 3 years ago

Issue still exists.

ghost commented 3 years ago

Issue still exists.

ghost commented 3 years ago

Issue still exists.

ghost commented 3 years ago

Issue still exists.