Managed to detect 3 out of 5 basic PHP files.
Must-share information (formatted with Markdown):
-
- Developer Edition v10.6 (92116)
- Docker
- test the rules if it can detect basic miscoding/vulnerabilities in a single page code
- enabled as many rules (PHP) except deprecated.
Example:
DVPA/RCE-Labs/RCE-1/rce.php at main · c0brabaghdad1/DVPA · GitHub
<?php
$file = $_GET['page'];
$file = str_replace( array( "etc", "passwd" ), "", $file );
if(isset($file)){
system('cat'. " " . $file);}
// Mul?i;\W'a'y*
?>
Hi,
Thank you for your message and the reproducer in GitHub.
We consider str_replace as a general sanitizer this is why we do not trigger a vulnerability at the level of the system call as we consider that $file is safe after the str_replace call. Of course, in this precise example, the code is indeed vulnerable. However, this is a very artificial code. We prefer to limit false positives and, as a consequence, we do not raise in all possible (artificial) cases.
Best regards
Sebastien
Got it. It appears that the other non-detection test file also has a str_replace. It seems that other scanners might not have considered the str_replace. Of course, a manual code review should check whether the sanitizer is adequate; in this case, it’s not.