Security
openssl-cbc-static-iv
openssl-cbc-static-iv
Static IV used with AES in CBC mode. Static IVs enable chosen-plaintext attacks against encrypted data.
Likelihood: HIGH
Confidence: HIGH
CWE:
- CWE-329: Generation of Predictable IV with CBC Mode
OWASP:
- A02:2021 - Cryptographic Failures
extract-user-data
extract-user-data
Do not call ‘extract()’ on user-controllable data. If you must, then you must also provide the EXTR_SKIP flag to prevent overwriting existing variables.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-502: Deserialization of Untrusted Data
OWASP:
- A08:2017 - Insecure Deserialization
- A08:2021 - Software and Data Integrity Failures
file-inclusion
file-inclusion
Detected non-constant file inclusion. This can lead to local file inclusion (LFI) or remote file inclusion (RFI) if user input reaches this statement. LFI and RFI could lead to sensitive files being obtained by attackers. Instead, explicitly specify what to include. If that is not a viable solution, validate user input thoroughly.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)
OWASP:
- A03:2021 - Injection
unserialize-use
unserialize-use
Calling unserialize()
with user input in the pattern can lead to arbitrary code execution. Consider using JSON or structured data approaches (e.g. Google Protocol Buffers).
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-502: Deserialization of Untrusted Data
OWASP:
- A08:2017 - Insecure Deserialization
- A08:2021 - Software and Data Integrity Failures
ldap-bind-without-password
ldap-bind-without-password
Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-287: Improper Authentication
OWASP:
- A02:2017 - Broken Authentication
- A07:2021 - Identification and Authentication Failures
md5-used-as-password
md5-used-as-password
It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use password_hash($PASSWORD, PASSWORD_BCRYPT, $OPTIONS);
.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
unlink-use
unlink-use
Using user input when deleting files with unlink()
is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
base-convert-loses-precision
base-convert-loses-precision
The function base_convert uses 64-bit numbers internally, and does not correctly convert large numbers. It is not suitable for random tokens such as those used for session tokens or CSRF tokens.
Likelihood: LOW
Confidence: HIGH
CWE:
- CWE-190: Integer Overflow or Wraparound
php-permissive-cors
php-permissive-cors
Access-Control-Allow-Origin response header is set to ”*”. This will disable CORS Same Origin Policy restrictions.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-346: Origin Validation Error
OWASP:
- A07:2021 - Identification and Authentication Failures
ftp-use
ftp-use
FTP allows for unencrypted file transfers. Consider using an encrypted alternative.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-319: Cleartext Transmission of Sensitive Information
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
exec-use
exec-use
Executing non-constant commands. This can lead to command injection.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASP:
- A03:2021 - Injection
php-ssrf
php-ssrf
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Dangerous function DATA
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-918: Server-Side Request Forgery (SSRF)
OWASP:
- A10:2021 - Server-Side Request Forgery (SSRF)
assert-use
assert-use
Calling assert with user input is equivalent to eval’ing.
Likelihood: MEDIUM
Confidence: HIGH
CWE:
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP:
- A03:2021 - Injection
redirect-to-request-uri
redirect-to-request-uri
Redirecting to the current request URL may redirect to another domain, if the current path starts with two slashes. E.g. in https://www.example.com//attacker.com, the value of REQUEST_URI is //attacker.com, and redirecting to it will redirect to that domain.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
eval-use
eval-use
Evaluating non-constant commands. This can lead to command injection.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
weak-crypto
weak-crypto
Detected usage of weak crypto function. Consider using stronger alternatives.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-328: Use of Weak Hash
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
mcrypt-use
mcrypt-use
Mcrypt functionality has been deprecated and/or removed in recent PHP versions. Consider using Sodium or OpenSSL.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-676: Use of Potentially Dangerous Function
phpinfo-use
phpinfo-use
The ‘phpinfo’ function may reveal sensitive information about your environment.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
OWASP:
- A01:2021 - Broken Access Control
curl-ssl-verifypeer-off
curl-ssl-verifypeer-off
SSL verification is disabled but should not be (currently CURLOPT_SSL_VERIFYPEER= $IS_VERIFIED)
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-319: Cleartext Transmission of Sensitive Information
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
tainted-exec
tainted-exec
Executing non-constant commands. This can lead to command injection. You should use escapeshellarg()
when using command.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASP:
- A03:2021 - Injection
backticks-use
backticks-use
Backticks use may lead to command injection vulnerabilities.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASP:
- A03:2021 - Injection
mb-ereg-replace-eval
mb-ereg-replace-eval
Calling mb_ereg_replace with user input in the options can lead to arbitrary code execution. The eval modifier (e
) evaluates the replacement argument as code.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASP:
- A03:2021 - Injection
md5-loose-equality
md5-loose-equality
Make sure comparisons involving md5 values are strict (use ===
not ==
) to avoid type juggling issues
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-697: Incorrect Comparison