Thank you for providing the visual code grepper! PHP code allows for nasty fails, and it is good to have a tool to direct attention at critical code lines.
After running VCG over my PHP project, I received some warnings about potential issues that I do not understand properly. I would greatly appreaciate some hints on why these lines might be dangerous:
(1) MEDIUM: Potentially Unsafe Code - Application Variable Used on System Command Line
Line: 162 - C:....\file01.php
The application appears to allow the use of an unvalidated variable when executing a command. Carry out a manual check to determine whether the variable is user-controlled.
($dir === 'system')
To my eye, this looks like a simple comparison between two strings.
(2) MEDIUM: Potentially Unsafe Code - Potential XSS
Line: 87 - C:...\file01.php
The application appears to reflect data to the screen with no apparent validation or sanitisation. It was not clear if this variable is controlled by the user.
echo 'Error 500: The file '.htmlspecialchars($uri).' is not within '.htmlspecialchars($ownFolder);
htmlspecialchars() is often used in PHP for creating output that won't reflect JavaScript and other HTML contents. Therefore, I had assumed that would be "apparent ... sanitisation". Would it not?
(3) STANDARD: Potentially Unsafe Code - system
Line: 199 - C:...\file01.php
This function allows execution of commands. It is dangerous with user controlled parameters and may facilitate direct attacks against the web server.
ini_set('error_log', 'system/logfiles/errorlog.txt');
Again, this looks like a simple function call on ini_set(), but VCG says that "this function allows execution of commands". It that a general advice against ini_set() or die VCG interpret the path on the right-hand side to be a potential issue?
(4) STANDARD: Potentially Unsafe Code - system
Line: 199 - C:...\file02.php
This function allows execution of commands. It is dangerous with user controlled parameters and may facilitate direct attacks against the web server.
$f = fopen('../system/logfiles/somefile.txt', 'a');
Same here: Is this a simple warning against fopen() (which would be perfectly legitimate)?
Thank you for some advice on better understanding the code grepper's output!
Thank you for providing the visual code grepper! PHP code allows for nasty fails, and it is good to have a tool to direct attention at critical code lines.
After running VCG over my PHP project, I received some warnings about potential issues that I do not understand properly. I would greatly appreaciate some hints on why these lines might be dangerous:
(1) MEDIUM: Potentially Unsafe Code - Application Variable Used on System Command Line Line: 162 - C:....\file01.php The application appears to allow the use of an unvalidated variable when executing a command. Carry out a manual check to determine whether the variable is user-controlled.
($dir === 'system')
To my eye, this looks like a simple comparison between two strings.
(2) MEDIUM: Potentially Unsafe Code - Potential XSS Line: 87 - C:...\file01.php The application appears to reflect data to the screen with no apparent validation or sanitisation. It was not clear if this variable is controlled by the user.
echo 'Error 500: The file '.htmlspecialchars($uri).' is not within '.htmlspecialchars($ownFolder);
htmlspecialchars() is often used in PHP for creating output that won't reflect JavaScript and other HTML contents. Therefore, I had assumed that would be "apparent ... sanitisation". Would it not?
(3) STANDARD: Potentially Unsafe Code - system Line: 199 - C:...\file01.php This function allows execution of commands. It is dangerous with user controlled parameters and may facilitate direct attacks against the web server.
ini_set('error_log', 'system/logfiles/errorlog.txt');
Again, this looks like a simple function call on
ini_set()
, but VCG says that "this function allows execution of commands". It that a general advice againstini_set()
or die VCG interpret the path on the right-hand side to be a potential issue?(4) STANDARD: Potentially Unsafe Code - system Line: 199 - C:...\file02.php This function allows execution of commands. It is dangerous with user controlled parameters and may facilitate direct attacks against the web server.
$f = fopen('../system/logfiles/somefile.txt', 'a');
Same here: Is this a simple warning against
fopen()
(which would be perfectly legitimate)?Thank you for some advice on better understanding the code grepper's output!