dkwakkel

Members
  • Content count

    2
  • Joined

  • Last visited

About dkwakkel

  • Rank
    Forum Newbie
  1. During security scan the following issue was found: The file index.php passes an unvalidated filename to a dynamic include statement on line 163. Allowing unvalidated user input to control files that are included dynamically in PHP can lead to malicious code execution. index.php:151 Read $_POST() $exportRequestStream = $_POST; Sink: index.php:163 builtin_include() if (!@include( $exporterResource )) { Given this line in getExporter: $path = RESOURCE_PATH . EXPORT_HANDLER . strtoupper($streamtype) . "2{$exporterSuffix}.php"; I could imagine that if streamtype contains e.g. '\..\..\..\somefile.txt ' illegal content can be included. Can this be fixed by e.g. sanitizing streamtype and exporterSuffix?
  2. We conducted a security vulnerability of Fusion Charts and the following vulnerability shows up: Line 184 in FCExporter_SVG2ALL.php calls shell_exec() with a command built from untrusted data. This call can cause the program to execute malicious commands on behalf of an attacker. Source: index.php 151 Read $_POST() 153 $exportRequestStream = $_POST; Sink: FCExporter_SVG2ALL.php:184 shell_exec() 182 $command = INKSCAPE_PATH . "$bg --without-gui {$tempInputSVGFile} --export- {$ext} $tempOutputFile {$size}"; And: $comandJpg = CONVERT_PATH . " -quality 100 $tempOutputFile $tempOutputJpgFile"; $output .= shell_exec($comandJpg); I could imagine If $bg contains something like "& /dosomethingevil" this can be an issue. I expect escapeshellcmd and escapeshellarg iso shell_exec should be used (see http://stackoverflow.com/a/130323/227061). Can this be fixed?