<![CDATA[FrontAccounting forum — PHP Vulnerability Tests]]> https://frontaccounting.com/punbb/viewtopic.php?id=6568 Sun, 04 Dec 2016 17:57:26 +0000 PunBB <![CDATA[PHP Vulnerability Tests]]> https://frontaccounting.com/punbb/viewtopic.php?pid=26956#p26956 The FrontAccounting v2.3.25's webroot folder's files were passed through the RIPS Scanner and the attached results were obtained on it's vulnerability. Most if not all are false positives. The $_POST and $_GET variables are washed before usage though they remain in the same variable name causing such scanners to spout such results.

vulnerable example code:

1: print ("Hello "  .  $_GET["name"]); 

proof of concept for execution:

/index.php?name=<script>alert(1)</script>

patch:

Encode all user tainted data with PHP buildin functions before embedding the data into the output. Make sure to set the parameter ENT_QUOTES to avoid an eventhandler injections to existing HTML attributes and specify the correct charset.

1: print ("Hello "  .  htmlentities($_GET["name"],  ENT_QUOTES,  "utf-8");

]]> Sun, 04 Dec 2016 17:57:26 +0000 https://frontaccounting.com/punbb/viewtopic.php?pid=26956#p26956