[Code Audit] List of PHP risk function
PHP function is very much, but the use of improper will cause danger. The following list of PHP in the risk of the function can be used as PHP code security audit!
Command injection
| Function | Description |
| exec | Execute an external program |
| passthru | Execute an external program and display raw output |
| system | Execute an external program and display the output |
| shell_exec | Execute command via shell and return the complete output as a string |
| popen | Opens process file pointer |
| proc_open | Execute a command and open file pointers for input/output |
| pcntl_exec | Executes specified program in current process space |
Code execution
| Function | Description |
| eval | Evaluate a string as PHP code |
| assert | Checks if assertion is FALSE |
| preg_replace | Perform a regular expression search and replace |
| create_function |
Create an anonymous (lambda-style) function |
| include |
The include statement includes and evaluates the specified file. |
|
include_once |
The include_once statement includes and evaluates the specified file during the execution of the script. |
| require_once | The require_once statement is identical to require except PHP will check if the file has already been included, and if so, not include (require) it again. |
| $GET[‘func’]($GET[‘param’]) | Execute function |
Cross site scripting
|$GET|| |$POST|| |$COOKIE|| |$REQUEST|| |$FILES|| |$SERVER|| |$ENV|| |$HTTPGETVARS|| |$HTTPPOSTVARS|| |$HTTPCOOKIEVARS|| |$HTTPREQUESTVARS|| |$HTTPPOSTFILES|| |$HTTPSERVERVARS|| |$HTTPENVVARS|| |$HTTPRAWPOSTDATA
SQL Injection
Unsafe API methods (require sanitising/escaping):
$wpdb->query()
$wpdb->get_var()
$wpdb->get_row()
$wpdb->get_col()
$wpdb->get_results()
$wpdb->replace()
Safe API methods (according to WordPress):
$wpdb->insert()
$wpdb->update()
$wpdb->delete()
Authorisation
is_admin()does not check if the user is authenticated as administrator, only checks if page displayed is in the admin section, can lead to auth bypass if misused.is_user_admin()same as abovecurrent_user_can()used for checking authorisation. This is what should be used to check authorisation.
Open Redirect
- wp_redirect() function can be used to redirect to user supplied URLs. If user input is not sanitised or validated this could lead to Open Redirect vulnerabilities.
Cross-Site Request Forgery (CSRF)
- wp_nonce_field() adds CSRF token to forms
- wp_nonce_url() adds CSRF token to URL
- wp_verify_nonce() checks the CSRF token validity server side
- check_admin_referer() checks the CSRF token validity server side and came from admin screen
SSL/TLS
- CURLOPT_SSL_VERIFYHOST if set to 0 then does not check name in host certificate
- CURLOPT_SSL_VERIFYPEER if set to FALSE then does not check if the certificate (inc chain), is trusted
- Check if HTTP is used to communicate with backend servers or APIs. A grep for “http://” should be sufficient.
Reference: Github
