Conversation
![cycode-security[bot]](https://avatars.githubusercontent.com/in/39308?s=60&v=4){kind=small}
| // Determine OS and execute the ping command. | ||
| if( stristr( php_uname( 's' ), 'Windows NT' ) ) { | ||
| // Windows | ||
| $cmd = shell_exec( 'ping ' . escapeshellarg($target) ); |
There was a problem hiding this comment.
❗Cycode: SAST violation: 'Unsanitized user input in OS command'.
Severity: Critical
Description
Executing OS commands that include user-supplied data can lead to command injection vulnerabilities. This occurs when an application dynamically executes OS commands that an attacker can manipulate through user input.
Cycode Remediation Guideline
✅ Do
- Do use a predefined set of commands instead of directly including user input, if user input has to influence the execution flow.
if ($_GET["action"] == "option1") {
$command = "command1";
} else {
$command = "command2";
}
exec($command);❌ Don't
- Do not directly include user input in commands to be executed by the OS. This can allow attackers to inject malicious commands.
exec($_GET["command"]); // unsafe📋 References
| } | ||
|
|
||
| // Feedback for the end user | ||
| $html .= "<pre>{$cmd}</pre>"; |
There was a problem hiding this comment.
❗Cycode: SAST violation: 'Unsanitized user input in raw HTML strings (XSS)'.
Severity: High
Description
Including unsanitized user input in HTML exposes your application to cross-site scripting (XSS) attacks. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users.
Cycode Remediation Guideline
✅ Do
- Do use a templating language like Twig, and keep the template in a separate file. Templating languages automatically handle input sanitization, reducing the risk of XSS.
- Do sanitize user input when HTML strings must be used, to prevent malicious code injection.
$html = "<h1>${htmlspecialchars($_GET["title"])}</h1>";❌ Don't
- Do not include user input directly in HTML strings. This practice can lead to XSS vulnerabilities.
$html = "<h1>{$_GET["title"]}</h1>"; // unsafe📋 References
| } | ||
| else { | ||
| // *nix | ||
| $cmd = shell_exec( 'ping -c 4 ' . escapeshellarg($target) ); |
There was a problem hiding this comment.
❗Cycode: SAST violation: 'Unsanitized user input in OS command'.
Severity: Critical
Description
Executing OS commands that include user-supplied data can lead to command injection vulnerabilities. This occurs when an application dynamically executes OS commands that an attacker can manipulate through user input.
Cycode Remediation Guideline
✅ Do
- Do use a predefined set of commands instead of directly including user input, if user input has to influence the execution flow.
if ($_GET["action"] == "option1") {
$command = "command1";
} else {
$command = "command2";
}
exec($command);❌ Don't
- Do not directly include user input in commands to be executed by the OS. This can allow attackers to inject malicious commands.
exec($_GET["command"]); // unsafe📋 References
1 participant
No description provided.