Would love an option for the "Banned/Insecure Functions" to display the line of code similar to how the "complex" scans do. Example "Complex" scan result =
HIGH: Potentially Unsafe Code - User Controlled Variable Used on System Command Line
Line: 15 - C:\Users\user\Documents\PHP\Sample3.php
The application appears to allow the use of an unvalidated user-controlled variable when executing a command.
exec("cat /var/log/apache2/access.log | grep " . $cmd); <= see the line of code
"Banned/Insecure Function" example =
STANDARD: Potentially Unsafe Code - exec
Line: 15 - C:\Users\rgabler\Documents\PHP\Sample3.php
This function allows execution of commands. It is dangerous when used with user controlled parameters and may facilitate direct attacks against the web server. Conduct a manual review of this section to ensure safe usage.
<= notice the code isn't shown... I am happy that you made it trivial to fo to the file/line # but it would make it a lot quicker if I could see the offending line in results. I would love to see this as an option as I am sure I wouldn't want it on all the checks.
Raymond
P.S. Love the upgrades in 2.0 - keep up the good work.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Would love an option for the "Banned/Insecure Functions" to display the line of code similar to how the "complex" scans do. Example "Complex" scan result =
HIGH: Potentially Unsafe Code - User Controlled Variable Used on System Command Line
Line: 15 - C:\Users\user\Documents\PHP\Sample3.php
The application appears to allow the use of an unvalidated user-controlled variable when executing a command.
exec("cat /var/log/apache2/access.log | grep " . $cmd); <= see the line of code
"Banned/Insecure Function" example =
STANDARD: Potentially Unsafe Code - exec
Line: 15 - C:\Users\rgabler\Documents\PHP\Sample3.php
This function allows execution of commands. It is dangerous when used with user controlled parameters and may facilitate direct attacks against the web server. Conduct a manual review of this section to ensure safe usage.
<= notice the code isn't shown... I am happy that you made it trivial to fo to the file/line # but it would make it a lot quicker if I could see the offending line in results. I would love to see this as an option as I am sure I wouldn't want it on all the checks.
Raymond
P.S. Love the upgrades in 2.0 - keep up the good work.
Hi Raymond
That should be fairly simple so I'll add it in to the next release.
Thanks
Nick