Audit required: Insecure use of logger PHP-A1011
Logging
$_SERVER directly can be vulnerable62 </tbody>
63
64 <tr>
65 <td colspan="2"><input type="hidden" name="ip" value="<?php echo $_SERVER['REMOTE_ADDR'] ?>" /><input type="submit" value="Create Ticket" /></td>66 </tr>
67 </table>
68</form>Logging
$_SERVER directly can be vulnerable1<?php if (!defined('FLUX_ROOT')) exit; ?>
2<h2><?php echo htmlspecialchars(Flux::message('PageNotFoundHeading')) ?></h2>
3<p><?php echo htmlspecialchars(Flux::message('PageNotFoundInfo')) ?></p>
4<p><span class="request"><?php echo $_SERVER['REQUEST_URI'] ?></span></p>Logging
$_SERVER directly can be vulnerable1<?php if (!defined('FLUX_ROOT')) exit; ?>
2<h2><?php echo htmlspecialchars(Flux::message('MissingViewHeading')) ?></h2>
3<p><?php echo htmlspecialchars(Flux::message('MissingViewModLabel')) ?> <span class="module-name"><?php echo $this->params->get('module') ?></span>, <?php echo htmlspecialchars(Flux::message('MissingViewActLabel')) ?> <span class="module-name"><?php echo $this->params->get('action') ?></span></p>
4<p><?php echo htmlspecialchars(Flux::message('MissingViewReqLabel')) ?> <span class="request"><?php echo $_SERVER['REQUEST_URI'] ?></span></p>5<p><?php echo htmlspecialchars(Flux::message('MissingViewLocLabel')) ?> <span class="fs-path"><?php echo $realViewPath ?></span></p>
Logging
$_SERVER directly can be vulnerable1<?php if (!defined('FLUX_ROOT')) exit; ?>
2<h2><?php echo htmlspecialchars(Flux::message('MissingActionHeading')) ?></h2>
3<p><?php echo htmlspecialchars(Flux::message('MissingActionModLabel')) ?> <span class="module-name"><?php echo $this->params->get('module') ?></span>, <?php echo htmlspecialchars(Flux::message('MissingActionActLabel')) ?> <span class="module-name"><?php echo $this->params->get('action') ?></span></p>
4<p><?php echo htmlspecialchars(Flux::message('MissingActionReqLabel')) ?> <span class="request"><?php echo $_SERVER['REQUEST_URI'] ?></span></p>5<p><?php echo htmlspecialchars(Flux::message('MissingActionLocLabel')) ?> <span class="fs-path"><?php echo $realActionPath ?></span></p>
Description
Logging user-provided values directly can put application vulnerable to multiple attack vectors. Superglobal variables contains values specified by the user, which are considered as tainted and untrusted. Therefore, it is discouraged to pass these variables directly to the logger.
Bad practice
error_log($_POST);
Recommended
error_log('Message: ' . $_POST['message']);