jsonn
commented
5 years ago This is a test case that shouldn't be deployed to a live system anyway.
Open mayoterry opened 5 years ago
jsonn
commented
5 years ago This is a test case that shouldn't be deployed to a live system anyway.
hi, We found a remote code execution vulnerability in gridx latest version that could allow an attacker to remotely execute arbitrary code to attack an attack server.
code line in 265: The query parameter is directly brought into the eval function.
payload: http://127.0.0.1/gridx-master/tests/support/stores/test_grid_filter.php?query=phpinfo();
This payload execution phpinfo();
fix: In php, the eval function is dangerous. It is not recommended to use it. If you must use it, you need to limit the incoming data.