PHP-A1011 · Audit required: Insecure use of logger

Audit required: Insecure use of logger PHP-A1011

Security

Major

8 days ago — 11 days old

cwe-117 a10 2017 cwe-532 a09 sans top 25 owasp top 10

Logging $label directly can be vulnerable

122            $labelToUpdate["description"] = $label["description"];
123            $labelToUpdate["new_name"] = $label["name"];
124            $labelsToUpdateObject[$label["name"]] = $labelToUpdate;
125            echo "⚠️ Label already exists: {$label["name"]}\n";126        } else {
127            echo "⛔ Error creating label: {$label["name"]}\n";
128        }

Logging $label directly can be vulnerable

Src/repositories.php

131    foreach ($labelsToUpdateObject as $oldName => $label) {
132        $response = doRequestGitHub($metadata["token"], $metadata["labelsUrl"] . "/" . str_replace(" ", "%20", $oldName), $label, "PATCH");
133        if ($response->statusCode === 200) {
134            echo "✅ Label updated: {$oldName} -> {$label["new_name"]}\n";135        } else {
136            echo "⛔ Error updating label: {$oldName}\n";
137        }

Logging $label directly can be vulnerable

Src/repositories.php

124            $labelsToUpdateObject[$label["name"]] = $labelToUpdate;
125            echo "⚠️ Label already exists: {$label["name"]}\n";
126        } else {
127            echo "⛔ Error creating label: {$label["name"]}\n";128        }
129    }
130

Logging $label directly can be vulnerable

Src/repositories.php

115    foreach ($labelsToCreateObject as $label) {
116        $response = doRequestGitHub($metadata["token"], $metadata["labelsUrl"], $label, "POST");
117        if ($response->statusCode === 201) {
118            echo "✅ Label created: {$label["name"]}\n";119        } elseif($response->statusCode === 422) {
120            $labelToUpdate = [];
121            $labelToUpdate["color"] = $label["color"];

Description

Logging user-provided values directly can put application vulnerable to multiple attack vectors. Superglobal variables contains values specified by the user, which are considered as tainted and untrusted. Therefore, it is discouraged to pass these variables directly to the logger.

Attack scenario

Consider a web application that logs user input directly without proper sanitization. An attacker can exploit this by injecting malicious scripts into the input fields. For example, if the application logs user comments directly, an attacker could submit a comment containing a script tag:

$_POST['comment'] = "<script>alert('XSS');</script>";
error_log($_POST['comment']);

If the log file is viewed in a web-based log viewer that renders HTML, the script will execute, leading to a Cross-Site Scripting (XSS) attack. This can compromise the security of the application and the data of other users.

Bad practice

error_log($_POST);

guibranco / gstraccini-bot

Attack scenario

Bad practice

Recommended

References