Maxim Integrated's IoT development kit

Dependencies:   MAX30101 MAX30003 MAX113XX_Pixi MAX30205 max32630fthr USBDevice

Committer:
Mahir Ozturk
Date:
Tue Mar 13 14:52:59 2018 +0300
Revision:
1:efe9cad8942f
Commit project files

Change-Id: I2188228f2a27e9a13e2407846e48b38c2596caa0

Who changed what in which revision?

UserRevisionLine numberNew contents of line
Mahir Ozturk 1:efe9cad8942f 1 // Functions known to cause issues in PHP code.
Mahir Ozturk 1:efe9cad8942f 2 // To add new issues use the format: function name[=>][[N]][description]
Mahir Ozturk 1:efe9cad8942f 3 // (where N is a severity rating of 1 (Critical) to 3 (Medium) (or optionally, 0 for 'normal'))
Mahir Ozturk 1:efe9cad8942f 4 //
Mahir Ozturk 1:efe9cad8942f 5 // NB - function names are case-sensitive for this file
Mahir Ozturk 1:efe9cad8942f 6 //
Mahir Ozturk 1:efe9cad8942f 7 // Untrusted Data
Mahir Ozturk 1:efe9cad8942f 8 $_REQUEST=>Population of PHP's global arrays can result in server side variables being overwritten by user-submitted data. This functionality is best avoided and should be used with extreme caution. Manually review this section of code to ensure safe usage.
Mahir Ozturk 1:efe9cad8942f 9
Mahir Ozturk 1:efe9cad8942f 10 // Command execution
Mahir Ozturk 1:efe9cad8942f 11 shell_exec=>This function allows execution of commands. It is dangerous when used with user controlled parameters and may facilitate direct attacks against the web server. Conduct a manual review of this section to ensure safe usage.
Mahir Ozturk 1:efe9cad8942f 12 system=>This function allows execution of commands. It is dangerous with user controlled parameters and may facilitate direct attacks against the web server.
Mahir Ozturk 1:efe9cad8942f 13 exec =>This function allows execution of commands. It is dangerous when used with user controlled parameters and may facilitate direct attacks against the web server. Conduct a manual review of this section to ensure safe usage.
Mahir Ozturk 1:efe9cad8942f 14 popen=>This function allows execution of commands. It is dangerous when used with user controlled parameters and may facilitate direct attacks against the web server. Conduct a manual review of this section to ensure safe usage.
Mahir Ozturk 1:efe9cad8942f 15 passthru=>This function allows execution of commands. It is dangerous when used with user controlled parameters and may facilitate direct attacks against the web server. Conduct a manual review of this section to ensure safe usage.
Mahir Ozturk 1:efe9cad8942f 16 proc_open=>This function allows execution of commands. It is dangerous when used with user controlled parameters and may facilitate direct attacks against the web server. Conduct a manual review of this section to ensure safe usage.
Mahir Ozturk 1:efe9cad8942f 17 pcntl_exec=>This function allows execution of commands. It is dangerous when used with user controlled parameters and may facilitate direct attacks against the web server. Conduct a manual review of this section to ensure safe usage.
Mahir Ozturk 1:efe9cad8942f 18
Mahir Ozturk 1:efe9cad8942f 19 // Code execution
Mahir Ozturk 1:efe9cad8942f 20 eval =>This function allows execution of commands. It is dangerous when used with user controlled parameters and may facilitate direct attacks against the web server. Conduct a manual review of this section to ensure safe usage.
Mahir Ozturk 1:efe9cad8942f 21 assert =>This function will evaluate PHP code. It is dangerous when used with user controlled parameters and may facilitate direct attacks against the web server. Conduct a manual review of this section to ensure safe usage.
Mahir Ozturk 1:efe9cad8942f 22 preg_replace=>This function will evaluate PHP code. It is dangerous when used with user controlled parameters and may facilitate direct attacks against the web server. Conduct a manual review of this section to ensure safe usage.
Mahir Ozturk 1:efe9cad8942f 23 create_function=>This function allows execution of commands. It is dangerous when used with user controlled parameters and may facilitate direct attacks against the web server. Conduct a manual review of this section to ensure safe usage.
Mahir Ozturk 1:efe9cad8942f 24
Mahir Ozturk 1:efe9cad8942f 25 // Information disclosure
Mahir Ozturk 1:efe9cad8942f 26 phpinfo =>This debugging function can expose sensitive data to an attacker. Perform a manual check to ensure that its out put data is not visible to normal users.
Mahir Ozturk 1:efe9cad8942f 27 show_source=>Shows the PHP source
Mahir Ozturk 1:efe9cad8942f 28
Mahir Ozturk 1:efe9cad8942f 29 // Development functionality
Mahir Ozturk 1:efe9cad8942f 30 $_GET['debug']=>The codebase appears to contain test functionality which may be abused by an attacker. Carry out a manual check to determine whether the codepath is executable.
Mahir Ozturk 1:efe9cad8942f 31 $_GET['test']=>The codebase appears to contain test functionality which may be abused by an attacker. Carry out a manual check to determine whether the codepath is executable.
Mahir Ozturk 1:efe9cad8942f 32
Mahir Ozturk 1:efe9cad8942f 33 // Unsafe Randomisation
Mahir Ozturk 1:efe9cad8942f 34 mt_rand=>[3]The application uses pseudo-random number generation that is not cryptographically secure. Carry out a manual check to ensure this is not being used in a process that requires cryptographically secure random numbers.
Mahir Ozturk 1:efe9cad8942f 35
Mahir Ozturk 1:efe9cad8942f 36 // Insecure cryptographic functions
Mahir Ozturk 1:efe9cad8942f 37 md5=>[3] MD5 Hashing algorithm.
Mahir Ozturk 1:efe9cad8942f 38 CRYPT_STD_DES=>[2] Standard DES-based hash with a two character salt.
Mahir Ozturk 1:efe9cad8942f 39 CRYPT_EXT_DES=>[3] Extended DES-based hash with a 9 character salt.
Mahir Ozturk 1:efe9cad8942f 40 CRYPT_MD5=>[3] Crypt MD5 function. Whilst this function uses a twelve character salt it is still MD5.
Mahir Ozturk 1:efe9cad8942f 41 mcrypt_cbc=>[3] Deprecated function. Use mcrypt_generic
Mahir Ozturk 1:efe9cad8942f 42 mcrypt_cfb=>[3] Deprecated function. Use mcrypt_generic
Mahir Ozturk 1:efe9cad8942f 43 mcrypt_ecb=>[3] Deprecated function. Use mcrypt_generic
Mahir Ozturk 1:efe9cad8942f 44 mcrypt_ofb=>[3] Deprecated function. Use mcrypt_generic
Mahir Ozturk 1:efe9cad8942f 45 mcrypt_generic_end=>[3] Deprecated function. Use mcrypt_generic_deinit()
Mahir Ozturk 1:efe9cad8942f 46
Mahir Ozturk 1:efe9cad8942f 47 // File system
Mahir Ozturk 1:efe9cad8942f 48 fopen
Mahir Ozturk 1:efe9cad8942f 49 tmpfile