search

kmcdon83 / DVWA

Damn Vulnerable Web Application (DVWA)
http://dvwa.co.uk
GNU General Public License v3.0
0 stars 1 forks source link

CX File_Manipulation @ external/phpids/0.6/lib/IDS/Log/Email.php [master] #18

Open ghost opened 3 years ago

ghost commented 3 years ago

File_Manipulation issue exists @ external/phpids/0.6/lib/IDS/Log/Email.php in branch master

The input obtained via isSpamAttempt in the file external\phpids\0.6\lib\IDS\Log\Email.php at line 210 is used to determine the location of a file to be written into by isSpamAttempt in the file external\phpids\0.6\lib\IDS\Log\Email.php at line 210, potentially allowing an attacker to alter or corrupt the contents of that file, or create a new file altogether.

Severity: High

CWE:552

Vulnerability details and guidance

Internal Guidance

Checkmarx

Training Recommended Fix

Lines: 237

Code (Line #237):

        $userAgent  = $_SERVER['HTTP_USER_AGENT'];
ghost commented 3 years ago

Issue still exists.

ghost commented 3 years ago

Issue still exists.

ghost commented 3 years ago

Issue still exists.

ghost commented 3 years ago

Issue still exists.