High
Showing all detectors for the PHP language with high severity.
The web server lacks proper validation when processing a URL or comparable request from an upstream component, creating a potential security risk associated with the function and its payload.
The use of untrusted inputs in a SQL database query can enable attackers to read, modify, or delete sensitive data in the database.
Set APP_DEBUG = false
in production to avoid exposing debug settings.
The phpinfo
function may reveal sensitive information about your environment.
Improper Output Neutralization for Logs.
Unverified origins of messages and identities in cross-origin communications can lead to security vulnerabilities.
Relying on potentially untrusted user inputs when constructing web application outputs can lead to cross-site scripting vulnerabilities.
Identifies the use of deprecated Mcrypt
functions in PHP, encouraging a switch to secure alternatives.
Creating file paths from untrusted input might give a malicious actor access to sensitive files.
Maintaining application stability with graceful PHP exits and exceptional handling.
OS command injection from untrusted input.
Secure comparison type safety recommendation.
Uncovered an anonymous LDAP bind,posing a risk of unauthorized execution of LDAP statements. Strengthen LDAP security with authentication enforcement.
Functions require input validation and sanitization to prevent security risks from untrusted user data.
Executing assert with user-provided input is comparable to invoking dynamic code evaluations.
Weak file permissions can lead to privilege escalation.
The wp_ajax_priv_upload
and wp_ajax_nopriv_upload
hooks allow developers to define callbacks for authenticated and anonymous AJAX requests.
Connections that use insecure protocols transmit data in cleartext, which can leak sensitive information.
Use secure random functions like random_bytes()
instead of non-cryptographic PRNGs in security code.
Redirecting to the current request URL might direct to another domain if the current path begins with two slashes.
Using unvalidated URLs with allow_url_fopen enables server-side request forgery attacks.
Use of a broken or risky cryptographic algorithm identified as weak.
Sanitize user input to prevent PHP object injection vulnerabilities from direct injection without sanitization.
Sensitive cookie without 'HttpOnly' flag
Avoid running dynamic commands to prevent command injection vulnerabilities.
Expanding unverified archive files without controlling the size of the expanded data can lead to zip bomb attacks.
Use of externally-controlled input in reflection.
Ensure secure coding by validating process signaling parameters to prevent application instability and potential denial of services.
Deserialization of untrusted data can lead to security vulnerabilities, such as inadvertently running remote code.
Using a static initialization vector (IV) for a cryptographic cipher is security sensitive.
Modify input validation check to guarantee expected behavior for all inputs, not just an invalid assumption that causes errors.
Insecure cookies can lead to unencrypted transmission of sensitive data.
The software does not restrict or incorrectly restrict access to a resource from an unauthorized actor.
Overrides Eloquent's mass assignment protections by setting $guarded to empty array.