openssl-cbc-static-iv
extract-user-data
file-inclusion
unserialize-use
unserialize()
with user input in the pattern can lead to arbitrary code execution. Consider using JSON or structured data approaches (e.g. Google Protocol Buffers).ldap-bind-without-password
md5-used-as-password
password_hash($PASSWORD, PASSWORD_BCRYPT, $OPTIONS);
.unlink-use
unlink()
is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.base-convert-loses-precision
php-permissive-cors
ftp-use
exec-use
php-ssrf
assert-use
redirect-to-request-uri
eval-use
weak-crypto
mcrypt-use
phpinfo-use
curl-ssl-verifypeer-off
tainted-exec
escapeshellarg()
when using command.backticks-use
mb-ereg-replace-eval
e
) evaluates the replacement argument as code.md5-loose-equality
===
not ==
) to avoid type juggling issues