High

Showing all detectors for the PHP language with high severity.

Server Side Request Forgery

The web server lacks proper validation when processing a URL or comparable request from an upstream component, creating a potential security risk associated with the function and its payload.

SQL Injection

The use of untrusted inputs in a SQL database query can enable attackers to read, modify, or delete sensitive data in the database.

Activated Debug Feature

Set APP_DEBUG = false in production to avoid exposing debug settings.

Sensitive information leak

The phpinfo function may reveal sensitive information about your environment.

Log Injection

Improper Output Neutralization for Logs.

Origins-verified cross-origin communications

Unverified origins of messages and identities in cross-origin communications can lead to security vulnerabilities.

Cross-site scripting

Relying on potentially untrusted user inputs when constructing web application outputs can lead to cross-site scripting vulnerabilities.

Dangerous Function Usage

Identifies the use of deprecated Mcrypt functions in PHP, encouraging a switch to secure alternatives.

Path Traversal

Creating file paths from untrusted input might give a malicious actor access to sensitive files.

Avoiding Exceptions in PHP

Maintaining application stability with graceful PHP exits and exceptional handling.

OS command injection

OS command injection from untrusted input.

Incorrect Comparison

Secure comparison type safety recommendation.

Ldap Bind Without Password

Uncovered an anonymous LDAP bind,posing a risk of unauthorized execution of LDAP statements. Strengthen LDAP security with authentication enforcement.

Sendfile Injection

Functions require input validation and sanitization to prevent security risks from untrusted user data.

Assert Use

Executing assert with user-provided input is comparable to invoking dynamic code evaluations.

Loose file permissions

Weak file permissions can lead to privilege escalation.

Improper Authentication

The wp_ajax_priv_upload and wp_ajax_nopriv_upload hooks allow developers to define callbacks for authenticated and anonymous AJAX requests.

Insecure connection

Connections that use insecure protocols transmit data in cleartext, which can leak sensitive information.

Weak Random Number Generation

Use secure random functions like random_bytes() instead of non-cryptographic PRNGs in security code.

Open Redirect

Redirecting to the current request URL might direct to another domain if the current path begins with two slashes.

Allow Url Fopen Or Include

Using unvalidated URLs with allow_url_fopen enables server-side request forgery attacks.

Insecure cryptography

Use of a broken or risky cryptographic algorithm identified as weak.

Object Input Stream Insecure Deserialization

Sanitize user input to prevent PHP object injection vulnerabilities from direct injection without sanitization.

Cookie Without Http Only Flag

Sensitive cookie without 'HttpOnly' flag

Code Injection

Avoid running dynamic commands to prevent command injection vulnerabilities.

Zip bomb attack

Expanding unverified archive files without controlling the size of the expanded data can lead to zip bomb attacks.

Unsafe Reflection

Use of externally-controlled input in reflection.

Secure Signal Handling

Ensure secure coding by validating process signaling parameters to prevent application instability and potential denial of services.

Deserialization of untrusted data

Deserialization of untrusted data can lead to security vulnerabilities, such as inadvertently running remote code.

Static Initialization Vector (IV)

Using a static initialization vector (IV) for a cryptographic cipher is security sensitive.

Coral Csrf Rule

Modify input validation check to guarantee expected behavior for all inputs, not just an invalid assumption that causes errors.

Insecure cookie

Insecure cookies can lead to unencrypted transmission of sensitive data.

Improper access control

The software does not restrict or incorrectly restrict access to a resource from an unauthorized actor.

Insecure Object Attribute Modification

Overrides Eloquent's mass assignment protections by setting $guarded to empty array.