Keyur Hariya
Maxim Integrated's IoT development kit
Dependencies: MAX30101 MAX30003 MAX113XX_Pixi MAX30205 max32630fthr USBDevice
tools/VisualCodeGrepper-2.1.0/phpfunctions.conf@1:efe9cad8942f, 2018-03-13 (annotated)
- Committer:
- Mahir Ozturk
- Date:
- Tue Mar 13 14:52:59 2018 +0300
- Revision:
- 1:efe9cad8942f
Commit project files
Change-Id: I2188228f2a27e9a13e2407846e48b38c2596caa0
Who changed what in which revision?
| User | Revision | Line number | New contents of line |
|---|---|---|---|
| Mahir Ozturk |
1:efe9cad8942f | 1 | // Functions known to cause issues in PHP code. |
| Mahir Ozturk |
1:efe9cad8942f | 2 | // To add new issues use the format: function name[=>][[N]][description] |
| Mahir Ozturk |
1:efe9cad8942f | 3 | // (where N is a severity rating of 1 (Critical) to 3 (Medium) (or optionally, 0 for 'normal')) |
| Mahir Ozturk |
1:efe9cad8942f | 4 | // |
| Mahir Ozturk |
1:efe9cad8942f | 5 | // NB - function names are case-sensitive for this file |
| Mahir Ozturk |
1:efe9cad8942f | 6 | // |
| Mahir Ozturk |
1:efe9cad8942f | 7 | // Untrusted Data |
| Mahir Ozturk |
1:efe9cad8942f | 8 | $_REQUEST=>Population of PHP's global arrays can result in server side variables being overwritten by user-submitted data. This functionality is best avoided and should be used with extreme caution. Manually review this section of code to ensure safe usage. |
| Mahir Ozturk |
1:efe9cad8942f | 9 | |
| Mahir Ozturk |
1:efe9cad8942f | 10 | // Command execution |
| Mahir Ozturk |
1:efe9cad8942f | 11 | shell_exec=>This function allows execution of commands. It is dangerous when used with user controlled parameters and may facilitate direct attacks against the web server. Conduct a manual review of this section to ensure safe usage. |
| Mahir Ozturk |
1:efe9cad8942f | 12 | system=>This function allows execution of commands. It is dangerous with user controlled parameters and may facilitate direct attacks against the web server. |
| Mahir Ozturk |
1:efe9cad8942f | 13 | exec =>This function allows execution of commands. It is dangerous when used with user controlled parameters and may facilitate direct attacks against the web server. Conduct a manual review of this section to ensure safe usage. |
| Mahir Ozturk |
1:efe9cad8942f | 14 | popen=>This function allows execution of commands. It is dangerous when used with user controlled parameters and may facilitate direct attacks against the web server. Conduct a manual review of this section to ensure safe usage. |
| Mahir Ozturk |
1:efe9cad8942f | 15 | passthru=>This function allows execution of commands. It is dangerous when used with user controlled parameters and may facilitate direct attacks against the web server. Conduct a manual review of this section to ensure safe usage. |
| Mahir Ozturk |
1:efe9cad8942f | 16 | proc_open=>This function allows execution of commands. It is dangerous when used with user controlled parameters and may facilitate direct attacks against the web server. Conduct a manual review of this section to ensure safe usage. |
| Mahir Ozturk |
1:efe9cad8942f | 17 | pcntl_exec=>This function allows execution of commands. It is dangerous when used with user controlled parameters and may facilitate direct attacks against the web server. Conduct a manual review of this section to ensure safe usage. |
| Mahir Ozturk |
1:efe9cad8942f | 18 | |
| Mahir Ozturk |
1:efe9cad8942f | 19 | // Code execution |
| Mahir Ozturk |
1:efe9cad8942f | 20 | eval =>This function allows execution of commands. It is dangerous when used with user controlled parameters and may facilitate direct attacks against the web server. Conduct a manual review of this section to ensure safe usage. |
| Mahir Ozturk |
1:efe9cad8942f | 21 | assert =>This function will evaluate PHP code. It is dangerous when used with user controlled parameters and may facilitate direct attacks against the web server. Conduct a manual review of this section to ensure safe usage. |
| Mahir Ozturk |
1:efe9cad8942f | 22 | preg_replace=>This function will evaluate PHP code. It is dangerous when used with user controlled parameters and may facilitate direct attacks against the web server. Conduct a manual review of this section to ensure safe usage. |
| Mahir Ozturk |
1:efe9cad8942f | 23 | create_function=>This function allows execution of commands. It is dangerous when used with user controlled parameters and may facilitate direct attacks against the web server. Conduct a manual review of this section to ensure safe usage. |
| Mahir Ozturk |
1:efe9cad8942f | 24 | |
| Mahir Ozturk |
1:efe9cad8942f | 25 | // Information disclosure |
| Mahir Ozturk |
1:efe9cad8942f | 26 | phpinfo =>This debugging function can expose sensitive data to an attacker. Perform a manual check to ensure that its out put data is not visible to normal users. |
| Mahir Ozturk |
1:efe9cad8942f | 27 | show_source=>Shows the PHP source |
| Mahir Ozturk |
1:efe9cad8942f | 28 | |
| Mahir Ozturk |
1:efe9cad8942f | 29 | // Development functionality |
| Mahir Ozturk |
1:efe9cad8942f | 30 | $_GET['debug']=>The codebase appears to contain test functionality which may be abused by an attacker. Carry out a manual check to determine whether the codepath is executable. |
| Mahir Ozturk |
1:efe9cad8942f | 31 | $_GET['test']=>The codebase appears to contain test functionality which may be abused by an attacker. Carry out a manual check to determine whether the codepath is executable. |
| Mahir Ozturk |
1:efe9cad8942f | 32 | |
| Mahir Ozturk |
1:efe9cad8942f | 33 | // Unsafe Randomisation |
| Mahir Ozturk |
1:efe9cad8942f | 34 | mt_rand=>[3]The application uses pseudo-random number generation that is not cryptographically secure. Carry out a manual check to ensure this is not being used in a process that requires cryptographically secure random numbers. |
| Mahir Ozturk |
1:efe9cad8942f | 35 | |
| Mahir Ozturk |
1:efe9cad8942f | 36 | // Insecure cryptographic functions |
| Mahir Ozturk |
1:efe9cad8942f | 37 | md5=>[3] MD5 Hashing algorithm. |
| Mahir Ozturk |
1:efe9cad8942f | 38 | CRYPT_STD_DES=>[2] Standard DES-based hash with a two character salt. |
| Mahir Ozturk |
1:efe9cad8942f | 39 | CRYPT_EXT_DES=>[3] Extended DES-based hash with a 9 character salt. |
| Mahir Ozturk |
1:efe9cad8942f | 40 | CRYPT_MD5=>[3] Crypt MD5 function. Whilst this function uses a twelve character salt it is still MD5. |
| Mahir Ozturk |
1:efe9cad8942f | 41 | mcrypt_cbc=>[3] Deprecated function. Use mcrypt_generic |
| Mahir Ozturk |
1:efe9cad8942f | 42 | mcrypt_cfb=>[3] Deprecated function. Use mcrypt_generic |
| Mahir Ozturk |
1:efe9cad8942f | 43 | mcrypt_ecb=>[3] Deprecated function. Use mcrypt_generic |
| Mahir Ozturk |
1:efe9cad8942f | 44 | mcrypt_ofb=>[3] Deprecated function. Use mcrypt_generic |
| Mahir Ozturk |
1:efe9cad8942f | 45 | mcrypt_generic_end=>[3] Deprecated function. Use mcrypt_generic_deinit() |
| Mahir Ozturk |
1:efe9cad8942f | 46 | |
| Mahir Ozturk |
1:efe9cad8942f | 47 | // File system |
| Mahir Ozturk |
1:efe9cad8942f | 48 | fopen |
| Mahir Ozturk |
1:efe9cad8942f | 49 | tmpfile |