Interpreting user-controlled instructions at run-time can allow attackers to execute malicious code

[cehd]

Hi guys, from our EH process we've got this report:

The file mootools-1.2-core-nc.js interprets unvalidated user input as source code on line 34. Interpreting user-controlled instructions at run-time can allow attackers to execute malicious code.Interpreting user-controlled instructions at run-time can allow attackers to execute malicious code.

I wanna know if u know about this issue, maybe it's a false/positive, but I would ask u first. Just in case if it's an know issue, from what version was it solved?

Regards!!

[DimitarChristoff]

This is probably to do with the old eval based packer. It's also 5+ years old, and realistically given the custom mootools packer and lack of code you posted, impossible to determine.

Going forward just use 1.5+ without compat mode

On Mon, 5 Feb 2018 at 9:24 pm, cehd notifications@github.com wrote:

Hi guys, from our EH process we've got this report:

The file mootools-1.2-core-nc.js interprets unvalidated user input as source code on line 34. Interpreting user-controlled instructions at run-time can allow attackers to execute malicious code.Interpreting user-controlled instructions at run-time can allow attackers to execute malicious code.

I wanna know if u know about this issue, maybe it's a false/positive, but I would ask u first. Just in case if it's an know issue, from what version was it solved?

Regards!!

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/mootools/mootools-core/issues/2792, or mute the thread https://github.com/notifications/unsubscribe-auth/AAHSzGLQdazSluG6QgNBigbdvUPr2-LQks5tR2OEgaJpZM4R6C9Q .

-- Dimitar Christoff

"JavaScript is to JAVA what hamster is to ham" @D_mitar - https://github.com/DimitarChristoff