You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
// To add new issues use the format: function name[=>][[N]][description]
// (where N is a severity rating of 1 (Critical) to 3 (Medium) (or optionally, 0 for 'normal'))
//
// NB - function names are case-sensitive for this file
//
// Untrusted Data
$_REQUEST=>Population of PHP's global arrays can result in server side variables being overwritten by user-submitted data. This functionality is best avoided and should be used with extreme caution. Manually review this section of code to ensure safe usage.
// Command execution
shell_exec=>This function allows execution of commands. It is dangerous when used with user controlled parameters and may facilitate direct attacks against the web server. Conduct a manual review of this section to ensure safe usage.
system=>This function allows execution of commands. It is dangerous with user controlled parameters and may facilitate direct attacks against the web server.
exec =>This function allows execution of commands. It is dangerous when used with user controlled parameters and may facilitate direct attacks against the web server. Conduct a manual review of this section to ensure safe usage.
popen=>This function allows execution of commands. It is dangerous when used with user controlled parameters and may facilitate direct attacks against the web server. Conduct a manual review of this section to ensure safe usage.
passthru=>This function allows execution of commands. It is dangerous when used with user controlled parameters and may facilitate direct attacks against the web server. Conduct a manual review of this section to ensure safe usage.
proc_open=>This function allows execution of commands. It is dangerous when used with user controlled parameters and may facilitate direct attacks against the web server. Conduct a manual review of this section to ensure safe usage.
pcntl_exec=>This function allows execution of commands. It is dangerous when used with user controlled parameters and may facilitate direct attacks against the web server. Conduct a manual review of this section to ensure safe usage.
// Code execution
eval =>This function allows execution of commands. It is dangerous when used with user controlled parameters and may facilitate direct attacks against the web server. Conduct a manual review of this section to ensure safe usage.
assert =>This function will evaluate PHP code. It is dangerous when used with user controlled parameters and may facilitate direct attacks against the web server. Conduct a manual review of this section to ensure safe usage.
preg_replace=>This function will evaluate PHP code. It is dangerous when used with user controlled parameters and may facilitate direct attacks against the web server. Conduct a manual review of this section to ensure safe usage.
create_function=>This function allows execution of commands. It is dangerous when used with user controlled parameters and may facilitate direct attacks against the web server. Conduct a manual review of this section to ensure safe usage.
// Information disclosure
phpinfo =>This debugging function can expose sensitive data to an attacker. Perform a manual check to ensure that its out put data is not visible to normal users.
show_source=>Shows the PHP source
// Development functionality
$_GET['debug']=>The codebase appears to contain test functionality which may be abused by an attacker. Carry out a manual check to determine whether the codepath is executable.
$_GET['test']=>The codebase appears to contain test functionality which may be abused by an attacker. Carry out a manual check to determine whether the codepath is executable.
// Unsafe Randomisation
mt_rand=>[3]The application uses pseudo-random number generation that is not cryptographically secure. Carry out a manual check to ensure this is not being used in a process that requires cryptographically secure random numbers.
// Insecure cryptographic functions
md5=>[3] MD5 Hashing algorithm.
CRYPT_STD_DES=>[2] Standard DES-based hash with a two character salt.
CRYPT_EXT_DES=>[3] Extended DES-based hash with a 9 character salt.
CRYPT_MD5=>[3] Crypt MD5 function. Whilst this function uses a twelve character salt it is still MD5.
mcrypt_cbc=>[3] Deprecated function. Use mcrypt_generic
mcrypt_cfb=>[3] Deprecated function. Use mcrypt_generic
mcrypt_ecb=>[3] Deprecated function. Use mcrypt_generic
mcrypt_ofb=>[3] Deprecated function. Use mcrypt_generic
mcrypt_generic_end=>[3] Deprecated function. Use mcrypt_generic_deinit()