Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 1
Project Name: PHP MutillidaeSecurity Scan
Line per vuln: 10
Scanned Files: 20 Filters: 0
Code Lines: 981 Creation Date: 10-07-2012
Vulnerabilities: 90 Creation Time: 23:07:31
Scan Details
Vulnerabilities By Severity
Vulnerability group Findings Project information
Company DefenseCode LTD.
Author DefenseCode
E-mail [email protected]
Brief Description PHP source code vulnerabilitiyscan of Mutillidae 1.3.
SQL Injection 13
File Disclosure 2
PHP File Inclusion 1
Shell Command Execution 1
Cross Site Scripting 45
File Manipulation 2
Misc. Dangerous Functions 25
Dangerous File Extensions 1
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 2
SQL Injection (13)1. SQL Injection through mysql_query()
Risk: Code Line: Vuln ID:
HIGH 13 6
File:
E:\Audit\mutillidae1.3\mutillidae\header.php
Vulnerability:
13: mysql_query($query)
Input variable:
$_REQUEST["user_name"]
Stack (function/line/file):
0. mysql_query() 12 E:\Audit\mutillidae1.3\mutillidae\header.php
User input flow:
0. $_REQUEST["user_name"]1. $username2. $query
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
2. SQL Injection through mysql_query()
Risk: Code Line: Vuln ID:
HIGH 23 11
File:
E:\Audit\mutillidae1.3\mutillidae\user-info.php
Vulnerability:
23: mysql_query($query)
Input variable:
$_REQUEST["password"]
Stack (function/line/file):
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 3
SQL Injection (13)0. mysql_query() 22 E:\Audit\mutillidae1.3\mutillidae\user-info.php
User input flow:
0. $_REQUEST["password"]1. $password2. $query
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
3. SQL Injection through mysql_query()
Risk: Code Line: Vuln ID:
HIGH 10 3
File:
E:\Audit\mutillidae1.3\mutillidae\closedb.inc
Vulnerability:
10: mysql_query($query)
Input variable:
$_SERVER['HTTP_REFERER']
Stack (function/line/file):
0. mysql_query() 9 E:\Audit\mutillidae1.3\mutillidae\closedb.inc
User input flow:
0. $_SERVER['HTTP_REFERER']1. $query
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
4. SQL Injection through mysql_query()
Risk: Code Line: Vuln ID:
HIGH 57 7
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 4
SQL Injection (13)File:
E:\Audit\mutillidae1.3\mutillidae\header.php
Vulnerability:
57: mysql_query($query)
Input variable:
$_COOKIE["uid"]
Stack (function/line/file):
0. mysql_query() 56 E:\Audit\mutillidae1.3\mutillidae\header.php
User input flow:
0. $_COOKIE["uid"]1. $query
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
5. SQL Injection through mysql_query()
Risk: Code Line: Vuln ID:
HIGH 27 9
File:
E:\Audit\mutillidae1.3\mutillidae\register.php
Vulnerability:
27: mysql_query($query)
Input variable:
$_REQUEST["password"]
Stack (function/line/file):
0. mysql_query() 26 E:\Audit\mutillidae1.3\mutillidae\register.php
User input flow:
0. $_REQUEST["password"]1. $password2. $query
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 5
SQL Injection (13)Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
6. SQL Injection through mysql_query()
Risk: Code Line: Vuln ID:
HIGH 23 12
File:
E:\Audit\mutillidae1.3\mutillidae\user-info.php
Vulnerability:
23: mysql_query($query)
Input variable:
$_REQUEST["view_user_name"]
Stack (function/line/file):
0. mysql_query() 22 E:\Audit\mutillidae1.3\mutillidae\user-info.php
User input flow:
0. $_REQUEST["view_user_name"]1. $viewusername2. $query
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
7. SQL Injection through mysql_query()
Risk: Code Line: Vuln ID:
HIGH 33 2
File:
E:\Audit\mutillidae1.3\mutillidae\add-to-your-blog.php
Vulnerability:
33: mysql_query($query)
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 6
SQL Injection (13)Input variable:
$_REQUEST["input_from_form"]
Stack (function/line/file):
0. mysql_query() 32 E:\Audit\mutillidae1.3\mutillidae\add-to-your-blog.php
User input flow:
0. $_REQUEST["input_from_form"]1. $inputfromform2. $query
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
8. SQL Injection through mysql_query()
Risk: Code Line: Vuln ID:
HIGH 27 8
File:
E:\Audit\mutillidae1.3\mutillidae\register.php
Vulnerability:
27: mysql_query($query)
Input variable:
$_REQUEST["my_signature"]
Stack (function/line/file):
0. mysql_query() 26 E:\Audit\mutillidae1.3\mutillidae\register.php
User input flow:
0. $_REQUEST["my_signature"]1. $mysignature2. $query
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 7
SQL Injection (13)9. SQL Injection through mysql_query()
Risk: Code Line: Vuln ID:
HIGH 25 1
File:
E:\Audit\mutillidae1.3\mutillidae\add-to-your-blog.php
Vulnerability:
25: mysql_query($query)
Input variable:
$_REQUEST["input_from_form"]
Stack (function/line/file):
0. mysql_query() 24 E:\Audit\mutillidae1.3\mutillidae\add-to-your-blog.php
User input flow:
0. $_REQUEST["input_from_form"]1. $inputfromform2. $query
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
10. SQL Injection through mysql_query()
Risk: Code Line: Vuln ID:
HIGH 10 4
File:
E:\Audit\mutillidae1.3\mutillidae\closedb.inc
Vulnerability:
10: mysql_query($query)
Input variable:
$_SERVER['HTTP_USER_AGENT']
Stack (function/line/file):
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 8
SQL Injection (13)0. mysql_query() 9 E:\Audit\mutillidae1.3\mutillidae\closedb.inc
User input flow:
0. $_SERVER['HTTP_USER_AGENT']1. $query
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
11. SQL Injection through mysql_query()
Risk: Code Line: Vuln ID:
HIGH 35 13
File:
E:\Audit\mutillidae1.3\mutillidae\view-someones-blog.php
Vulnerability:
35: mysql_query($query)
Input variable:
$_REQUEST["show_only_user"]
Stack (function/line/file):
0. mysql_query() 34 E:\Audit\mutillidae1.3\mutillidae\view-someones-blog.php
User input flow:
0. $_REQUEST["show_only_user"]1. $showonlyuser2. $query
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
12. SQL Injection through mysql_query()
Risk: Code Line: Vuln ID:
HIGH 27 10
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 9
SQL Injection (13)File:
E:\Audit\mutillidae1.3\mutillidae\register.php
Vulnerability:
27: mysql_query($query)
Input variable:
$_REQUEST["user_name"]
Stack (function/line/file):
0. mysql_query() 26 E:\Audit\mutillidae1.3\mutillidae\register.php
User input flow:
0. $_REQUEST["user_name"]1. $username2. $query
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
13. SQL Injection through mysql_query()
Risk: Code Line: Vuln ID:
HIGH 13 5
File:
E:\Audit\mutillidae1.3\mutillidae\header.php
Vulnerability:
13: mysql_query($query)
Input variable:
$_REQUEST["password"]
Stack (function/line/file):
0. mysql_query() 12 E:\Audit\mutillidae1.3\mutillidae\header.php
User input flow:
0. $_REQUEST["password"]1. $password2. $query
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 10
SQL Injection (13)Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 11
File Disclosure (2)1. File Disclosure through fopen()
Risk: Code Line: Vuln ID:
HIGH 29 15
File:
E:\Audit\mutillidae1.3\mutillidae\text-file-viewer.php
Vulnerability:
29: fopen($textfilename, "r")
Input variable:
$_REQUEST["text_file_name"]
Stack (function/line/file):
0. fopen() 28 E:\Audit\mutillidae1.3\mutillidae\text-file-viewer.php
User input flow:
0. $_REQUEST["text_file_name"]1. $textfilename
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
2. File Disclosure through highlight_file()
Risk: Code Line: Vuln ID:
HIGH 31 14
File:
E:\Audit\mutillidae1.3\mutillidae\source-viewer.php
Vulnerability:
31: highlight_file($phpfilename)
Input variable:
$_REQUEST["php_file_name"]
Stack (function/line/file):
0. highlight_file() 30 E:\Audit\mutillidae1.3\mutillidae\source-viewer.php
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 12
File Disclosure (2)User input flow:
0. $_REQUEST["php_file_name"]1. $phpfilename
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 13
PHP File Inclusion (1)1. PHP File Inclusion through include()
Risk: Code Line: Vuln ID:
HIGH 8 16
File:
E:\Audit\mutillidae1.3\mutillidae\index.php
Vulnerability:
8: include "$page"
Input variable:
$_GET[page]
Stack (function/line/file):
0. include() 7 E:\Audit\mutillidae1.3\mutillidae\index.php
User input flow:
0. $_GET[page]1. $page
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 14
Shell Command Execution (1)1. Shell Command Execution through shell_exec()
Risk: Code Line: Vuln ID:
HIGH 18 17
File:
E:\Audit\mutillidae1.3\mutillidae\dns-lookup.php
Vulnerability:
18: shell_exec "nslookup " $targethost
Input variable:
$_REQUEST["target_host"]
Stack (function/line/file):
0. shell_exec() 17 E:\Audit\mutillidae1.3\mutillidae\dns-lookup.php
User input flow:
0. $_REQUEST["target_host"]1. $targethost
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 15
Cross Site Scripting (45)1. Cross Site Scripting through echo()
Risk: Code Line: Vuln ID:
MEDIUM 18 33
File:
E:\Audit\mutillidae1.3\mutillidae\dns-lookup.php
Vulnerability:
18: echo (shell_exec("nslookup " . $targethost))
Input variable:
$_REQUEST["target_host"]
Stack (function/line/file):
0. echo() 17 E:\Audit\mutillidae1.3\mutillidae\dns-lookup.php
User input flow:
0. $_REQUEST["target_host"]1. $targethost
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
2. Cross Site Scripting through echo()
Risk: Code Line: Vuln ID:
MEDIUM 5 32
File:
E:\Audit\mutillidae1.3\mutillidae\dns-lookup.php
Vulnerability:
5: echo ("<form method=\"POST\" action=\"" .$_SERVER['SCRIPT_NAME'] . "?" .$_SERVER['QUERY_STRING'] . "\">")
Input variable:
$_SERVER['SCRIPT_NAME']
Stack (function/line/file):
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 16
Cross Site Scripting (45)0. echo() 4 E:\Audit\mutillidae1.3\mutillidae\dns-lookup.php
User input flow:
0. $_SERVER['SCRIPT_NAME']
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
3. Cross Site Scripting through echo()
Risk: Code Line: Vuln ID:
MEDIUM 39 21
File:
E:\Audit\mutillidae1.3\mutillidae\add-to-your-blog.php
Vulnerability:
39: echo ("<p><b>{$row['blogger_name']}:</b>({$row['date']})<br>{$row['comment']}</p>")
Input variable:
$_REQUEST["input_from_form"]
Stack (function/line/file):
0. echo() 38 E:\Audit\mutillidae1.3\mutillidae\add-to-your-blog.php
User input flow:
0. $_REQUEST["input_from_form"]1. $inputfromform2. $query3. $result4. $row
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
4. Cross Site Scripting through print()
Risk: Code Line: Vuln ID:
MEDIUM 13 26
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 17
Cross Site Scripting (45)File:
E:\Audit\mutillidae1.3\mutillidae\browser-info.php
Vulnerability:
13: print ("Remote Client Port:",$_SERVER['REMOTE_PORT'])
Input variable:
$_SERVER['REMOTE_PORT']
Stack (function/line/file):
0. print() 12 E:\Audit\mutillidae1.3\mutillidae\browser-info.php
User input flow:
0. $_SERVER['REMOTE_PORT']
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
5. Cross Site Scripting through echo()
Risk: Code Line: Vuln ID:
MEDIUM 5 18
File:
E:\Audit\mutillidae1.3\mutillidae\add-to-your-blog.php
Vulnerability:
5: echo ("<form method=\"POST\" action=\"" .$_SERVER['SCRIPT_NAME'] . "?" .$_SERVER['QUERY_STRING'] . "\">")
Input variable:
$_SERVER['QUERY_STRING']
Stack (function/line/file):
0. echo() 4 E:\Audit\mutillidae1.3\mutillidae\add-to-your-blog.php
User input flow:
0. $_SERVER['QUERY_STRING']
Filter:
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 18
Cross Site Scripting (45)No mitigating factors, input variable did not passed through PHP input validation functions.
6. Cross Site Scripting through print()
Risk: Code Line: Vuln ID:
MEDIUM 9 30
File:
E:\Audit\mutillidae1.3\mutillidae\catch.php
Vulnerability:
9: print ($msg . "<BR>")
Input variable:
$_REQUEST
Stack (function/line/file):
0. print() 8 E:\Audit\mutillidae1.3\mutillidae\catch.php
User input flow:
0. $_REQUEST1. $k2. $msg
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
7. Cross Site Scripting through echo()
Risk: Code Line: Vuln ID:
MEDIUM 8 44
File:
E:\Audit\mutillidae1.3\mutillidae\source-viewer.php
Vulnerability:
8: echo ('<input type="hidden" name="page" value="' . $_REQUEST["page"] . '">')
Input variable:
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 19
Cross Site Scripting (45)$_REQUEST["page"]
Stack (function/line/file):
0. echo() 7 E:\Audit\mutillidae1.3\mutillidae\source-viewer.php
User input flow:
0. $_REQUEST["page"]
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
8. Cross Site Scripting through echo()
Risk: Code Line: Vuln ID:
MEDIUM 29 55
File:
E:\Audit\mutillidae1.3\mutillidae\user-info.php
Vulnerability:
29: echo ("<b>Password=</b>{$row['password']}<br>")
Input variable:
$_REQUEST["password"]
Stack (function/line/file):
0. echo() 28 E:\Audit\mutillidae1.3\mutillidae\user-info.php
User input flow:
0. $_REQUEST["password"]1. $password2. $query3. $result4. $row
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
9. Cross Site Scripting through print()
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 20
Cross Site Scripting (45)Risk: Code Line: Vuln ID:
MEDIUM 12 25
File:
E:\Audit\mutillidae1.3\mutillidae\browser-info.php
Vulnerability:
12: print ("Referrer",$_SERVER['HTTP_REFERER'])
Input variable:
$_SERVER['HTTP_REFERER']
Stack (function/line/file):
0. print() 11 E:\Audit\mutillidae1.3\mutillidae\browser-info.php
User input flow:
0. $_SERVER['HTTP_REFERER']
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
10. Cross Site Scripting through print()
Risk: Code Line: Vuln ID:
MEDIUM 14 27
File:
E:\Audit\mutillidae1.3\mutillidae\browser-info.php
Vulnerability:
14: print ("WhoIs info for your IP:","<small><pre>".WhoIs($_SERVER['REMOTE_ADDR'])."</pre></small>")
Input variable:
$_SERVER['REMOTE_ADDR']
Stack (function/line/file):
0. print() 13 E:\Audit\mutillidae1.3\mutillidae\browser-info.php
User input flow:
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 21
Cross Site Scripting (45)0. $_SERVER['REMOTE_ADDR']
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
11. Cross Site Scripting through echo()
Risk: Code Line: Vuln ID:
MEDIUM 15 28
File:
E:\Audit\mutillidae1.3\mutillidae\browser-info.php
Vulnerability:
15: echo ($HTTP_COOKIE_VARS["TestCookie"])
Input variable:
$HTTP_COOKIE_VARS["TestCookie"]
Stack (function/line/file):
0. echo() 14 E:\Audit\mutillidae1.3\mutillidae\browser-info.php
User input flow:
0. $HTTP_COOKIE_VARS["TestCookie"]
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
12. Cross Site Scripting through echo()
Risk: Code Line: Vuln ID:
MEDIUM 30 57
File:
E:\Audit\mutillidae1.3\mutillidae\user-info.php
Vulnerability:
30: echo ("<b>Signature=</b>{$row['mysignature']}<br><p>")
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 22
Cross Site Scripting (45)Input variable:
$_REQUEST["password"]
Stack (function/line/file):
0. echo() 29 E:\Audit\mutillidae1.3\mutillidae\user-info.php
User input flow:
0. $_REQUEST["password"]1. $password2. $query3. $result4. $row
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
13. Cross Site Scripting through echo()
Risk: Code Line: Vuln ID:
MEDIUM 5 40
File:
E:\Audit\mutillidae1.3\mutillidae\register.php
Vulnerability:
5: echo ("<form method=\"POST\" action=\"" .$_SERVER['SCRIPT_NAME'] . "?" .$_SERVER['QUERY_STRING'] . "\">")
Input variable:
$_SERVER['QUERY_STRING']
Stack (function/line/file):
0. echo() 4 E:\Audit\mutillidae1.3\mutillidae\register.php
User input flow:
0. $_SERVER['QUERY_STRING']
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 23
Cross Site Scripting (45)
14. Cross Site Scripting through die()
Risk: Code Line: Vuln ID:
MEDIUM 35 61
File:
E:\Audit\mutillidae1.3\mutillidae\view-someones-blog.php
Vulnerability:
35: die('Did you <a href="setupreset.php">setup/reset the DB</a>? <p><b>SQL Error:</b>' .mysql_error($conn) . '<p><b>SQL Statement:</b>' . $query)
Input variable:
$_REQUEST["show_only_user"]
Stack (function/line/file):
0. die() 34 E:\Audit\mutillidae1.3\mutillidae\view-someones-blog.php
User input flow:
0. $_REQUEST["show_only_user"]1. $showonlyuser2. $query
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
15. Cross Site Scripting through die()
Risk: Code Line: Vuln ID:
MEDIUM 33 20
File:
E:\Audit\mutillidae1.3\mutillidae\add-to-your-blog.php
Vulnerability:
33: die('Did you <a href="setupreset.php">setup/reset the DB</a>? <p><b>SQL Error:</b>' .mysql_error($conn) . '<p><b>SQL Statement:</b>' . $query)
Input variable:
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 24
Cross Site Scripting (45)$_REQUEST["input_from_form"]
Stack (function/line/file):
0. die() 32 E:\Audit\mutillidae1.3\mutillidae\add-to-your-blog.php
User input flow:
0. $_REQUEST["input_from_form"]1. $inputfromform2. $query
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
16. Cross Site Scripting through echo()
Risk: Code Line: Vuln ID:
MEDIUM 5 59
File:
E:\Audit\mutillidae1.3\mutillidae\view-someones-blog.php
Vulnerability:
5: echo ("<form method=\"POST\" action=\"" .$_SERVER['SCRIPT_NAME'] . "?" .$_SERVER['QUERY_STRING'] . "\">")
Input variable:
$_SERVER['QUERY_STRING']
Stack (function/line/file):
0. echo() 4 E:\Audit\mutillidae1.3\mutillidae\view-someones-blog.php
User input flow:
0. $_SERVER['QUERY_STRING']
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
17. Cross Site Scripting through echo()
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 25
Cross Site Scripting (45)Risk: Code Line: Vuln ID:
MEDIUM 6 49
File:
E:\Audit\mutillidae1.3\mutillidae\user-info.php
Vulnerability:
6: echo ("<form method=\"POST\" action=\"" .$_SERVER['SCRIPT_NAME'] . "?" .$_SERVER['QUERY_STRING'] . "\">")
Input variable:
$_SERVER['QUERY_STRING']
Stack (function/line/file):
0. echo() 5 E:\Audit\mutillidae1.3\mutillidae\user-info.php
User input flow:
0. $_SERVER['QUERY_STRING']
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
18. Cross Site Scripting through print()
Risk: Code Line: Vuln ID:
MEDIUM 11 24
File:
E:\Audit\mutillidae1.3\mutillidae\browser-info.php
Vulnerability:
11: print ("Entire User Agent String",$_SERVER['HTTP_USER_AGENT'])
Input variable:
$_SERVER['HTTP_USER_AGENT']
Stack (function/line/file):
0. print() 10 E:\Audit\mutillidae1.3\mutillidae\browser-info.php
User input flow:
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 26
Cross Site Scripting (45)0. $_SERVER['HTTP_USER_AGENT']
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
19. Cross Site Scripting through echo()
Risk: Code Line: Vuln ID:
MEDIUM 5 31
File:
E:\Audit\mutillidae1.3\mutillidae\dns-lookup.php
Vulnerability:
5: echo ("<form method=\"POST\" action=\"" .$_SERVER['SCRIPT_NAME'] . "?" .$_SERVER['QUERY_STRING'] . "\">")
Input variable:
$_SERVER['QUERY_STRING']
Stack (function/line/file):
0. echo() 4 E:\Audit\mutillidae1.3\mutillidae\dns-lookup.php
User input flow:
0. $_SERVER['QUERY_STRING']
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
20. Cross Site Scripting through die()
Risk: Code Line: Vuln ID:
MEDIUM 13 35
File:
E:\Audit\mutillidae1.3\mutillidae\header.php
Vulnerability:
13: die('Did you <a href="setupreset.php">setup/reset the DB</a>? <p><b>SQL Error:</b>' .mysql_error($conn) . '<p><b>SQL Statement:</b>' . $query)
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 27
Cross Site Scripting (45)Input variable:
$_REQUEST["user_name"]
Stack (function/line/file):
0. die() 12 E:\Audit\mutillidae1.3\mutillidae\header.php
User input flow:
0. $_REQUEST["user_name"]1. $username2. $query
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
21. Cross Site Scripting through echo()
Risk: Code Line: Vuln ID:
MEDIUM 28 53
File:
E:\Audit\mutillidae1.3\mutillidae\user-info.php
Vulnerability:
28: echo ("<b>Username=</b>{$row['username']}<br>")
Input variable:
$_REQUEST["password"]
Stack (function/line/file):
0. echo() 27 E:\Audit\mutillidae1.3\mutillidae\user-info.php
User input flow:
0. $_REQUEST["password"]1. $password2. $query3. $result4. $row
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 28
Cross Site Scripting (45)
22. Cross Site Scripting through echo()
Risk: Code Line: Vuln ID:
MEDIUM 30 48
File:
E:\Audit\mutillidae1.3\mutillidae\text-file-viewer.php
Vulnerability:
30: echo (stream_get_contents($handle))
Input variable:
$_REQUEST["text_file_name"]
Stack (function/line/file):
0. echo() 29 E:\Audit\mutillidae1.3\mutillidae\text-file-viewer.php
User input flow:
0. $_REQUEST["text_file_name"]1. $textfilename2. $handle
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
23. Cross Site Scripting through print()
Risk: Code Line: Vuln ID:
MEDIUM 7 22
File:
E:\Audit\mutillidae1.3\mutillidae\browser-info.php
Vulnerability:
7: print ("IP",$_SERVER['REMOTE_ADDR'])
Input variable:
$_SERVER['REMOTE_ADDR']
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 29
Cross Site Scripting (45)Stack (function/line/file):
0. print() 6 E:\Audit\mutillidae1.3\mutillidae\browser-info.php
User input flow:
0. $_SERVER['REMOTE_ADDR']
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
24. Cross Site Scripting through echo()
Risk: Code Line: Vuln ID:
MEDIUM 7 42
File:
E:\Audit\mutillidae1.3\mutillidae\source-viewer.php
Vulnerability:
7: echo ("<form method=\"GET\" action=\"" .$_SERVER['SCRIPT_NAME'] . "?" .$_SERVER['QUERY_STRING'] . "\">")
Input variable:
$_SERVER['QUERY_STRING']
Stack (function/line/file):
0. echo() 6 E:\Audit\mutillidae1.3\mutillidae\source-viewer.php
User input flow:
0. $_SERVER['QUERY_STRING']
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
25. Cross Site Scripting through echo()
Risk: Code Line: Vuln ID:
MEDIUM 7 46
File:
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 30
Cross Site Scripting (45)E:\Audit\mutillidae1.3\mutillidae\text-file-viewer.php
Vulnerability:
7: echo ("<form method=\"POST\" action=\"" .$_SERVER['SCRIPT_NAME'] . "?" .$_SERVER['QUERY_STRING'] . "\">")
Input variable:
$_SERVER['QUERY_STRING']
Stack (function/line/file):
0. echo() 6 E:\Audit\mutillidae1.3\mutillidae\text-file-viewer.php
User input flow:
0. $_SERVER['QUERY_STRING']
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
26. Cross Site Scripting through print()
Risk: Code Line: Vuln ID:
MEDIUM 9 23
File:
E:\Audit\mutillidae1.3\mutillidae\browser-info.php
Vulnerability:
9: print ("Hostname",gethostbyaddr($_SERVER['REMOTE_ADDR']))
Input variable:
$_SERVER['REMOTE_ADDR']
Stack (function/line/file):
0. print() 8 E:\Audit\mutillidae1.3\mutillidae\browser-info.php
User input flow:
0. $_SERVER['REMOTE_ADDR']
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 31
Cross Site Scripting (45)
27. Cross Site Scripting through print()
Risk: Code Line: Vuln ID:
MEDIUM 9 29
File:
E:\Audit\mutillidae1.3\mutillidae\catch.php
Vulnerability:
9: print ($msg . "<BR>")
Input variable:
$_REQUEST
Stack (function/line/file):
0. print() 8 E:\Audit\mutillidae1.3\mutillidae\catch.php
User input flow:
0. $_REQUEST1. $v2. $msg
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
28. Cross Site Scripting through echo()
Risk: Code Line: Vuln ID:
MEDIUM 6 50
File:
E:\Audit\mutillidae1.3\mutillidae\user-info.php
Vulnerability:
6: echo ("<form method=\"POST\" action=\"" .$_SERVER['SCRIPT_NAME'] . "?" .$_SERVER['QUERY_STRING'] . "\">")
Input variable:
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 32
Cross Site Scripting (45)$_SERVER['SCRIPT_NAME']
Stack (function/line/file):
0. echo() 5 E:\Audit\mutillidae1.3\mutillidae\user-info.php
User input flow:
0. $_SERVER['SCRIPT_NAME']
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
29. Cross Site Scripting through echo()
Risk: Code Line: Vuln ID:
MEDIUM 8 39
File:
E:\Audit\mutillidae1.3\mutillidae\login.php
Vulnerability:
8: echo ("<form method=\"POST\" action=\"" .$_SERVER['SCRIPT_NAME'] . "?" .$_SERVER['QUERY_STRING'] . "\">")
Input variable:
$_SERVER['SCRIPT_NAME']
Stack (function/line/file):
0. echo() 7 E:\Audit\mutillidae1.3\mutillidae\login.php
User input flow:
0. $_SERVER['SCRIPT_NAME']
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
30. Cross Site Scripting through echo()
Risk: Code Line: Vuln ID:
MEDIUM 65 36
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 33
Cross Site Scripting (45)File:
E:\Audit\mutillidae1.3\mutillidae\header.php
Vulnerability:
65: echo ('<blink><font color="#0000ff"><h2>You are logged in as ' . $logged_in_user . '</h2>' .$logged_in_usersignature . '</font></blink>')
Input variable:
$_COOKIE["uid"]
Stack (function/line/file):
0. echo() 64 E:\Audit\mutillidae1.3\mutillidae\header.php
User input flow:
0. $_COOKIE["uid"]1. $query2. $result3. $row4. $logged_in_usersignature
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
31. Cross Site Scripting through die()
Risk: Code Line: Vuln ID:
MEDIUM 23 51
File:
E:\Audit\mutillidae1.3\mutillidae\user-info.php
Vulnerability:
23: die('Did you <a href="setupreset.php">setup/reset the DB</a>? <p><b>SQL Error:</b>' .mysql_error($conn) . '<p><b>SQL Statement:</b>' . $query)
Input variable:
$_REQUEST["password"]
Stack (function/line/file):
0. die() 22 E:\Audit\mutillidae1.3\mutillidae\user-info.php
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 34
Cross Site Scripting (45)User input flow:
0. $_REQUEST["password"]1. $password2. $query
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
32. Cross Site Scripting through echo()
Risk: Code Line: Vuln ID:
MEDIUM 30 58
File:
E:\Audit\mutillidae1.3\mutillidae\user-info.php
Vulnerability:
30: echo ("<b>Signature=</b>{$row['mysignature']}<br><p>")
Input variable:
$_REQUEST["view_user_name"]
Stack (function/line/file):
0. echo() 29 E:\Audit\mutillidae1.3\mutillidae\user-info.php
User input flow:
0. $_REQUEST["view_user_name"]1. $viewusername2. $query3. $result4. $row
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
33. Cross Site Scripting through echo()
Risk: Code Line: Vuln ID:
MEDIUM 5 41
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 35
Cross Site Scripting (45)File:
E:\Audit\mutillidae1.3\mutillidae\register.php
Vulnerability:
5: echo ("<form method=\"POST\" action=\"" .$_SERVER['SCRIPT_NAME'] . "?" .$_SERVER['QUERY_STRING'] . "\">")
Input variable:
$_SERVER['SCRIPT_NAME']
Stack (function/line/file):
0. echo() 4 E:\Audit\mutillidae1.3\mutillidae\register.php
User input flow:
0. $_SERVER['SCRIPT_NAME']
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
34. Cross Site Scripting through echo()
Risk: Code Line: Vuln ID:
MEDIUM 7 47
File:
E:\Audit\mutillidae1.3\mutillidae\text-file-viewer.php
Vulnerability:
7: echo ("<form method=\"POST\" action=\"" .$_SERVER['SCRIPT_NAME'] . "?" .$_SERVER['QUERY_STRING'] . "\">")
Input variable:
$_SERVER['SCRIPT_NAME']
Stack (function/line/file):
0. echo() 6 E:\Audit\mutillidae1.3\mutillidae\text-file-viewer.php
User input flow:
0. $_SERVER['SCRIPT_NAME']
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 36
Cross Site Scripting (45)Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
35. Cross Site Scripting through echo()
Risk: Code Line: Vuln ID:
MEDIUM 8 38
File:
E:\Audit\mutillidae1.3\mutillidae\login.php
Vulnerability:
8: echo ("<form method=\"POST\" action=\"" .$_SERVER['SCRIPT_NAME'] . "?" .$_SERVER['QUERY_STRING'] . "\">")
Input variable:
$_SERVER['QUERY_STRING']
Stack (function/line/file):
0. echo() 7 E:\Audit\mutillidae1.3\mutillidae\login.php
User input flow:
0. $_SERVER['QUERY_STRING']
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
36. Cross Site Scripting through die()
Risk: Code Line: Vuln ID:
MEDIUM 23 52
File:
E:\Audit\mutillidae1.3\mutillidae\user-info.php
Vulnerability:
23: die('Did you <a href="setupreset.php">setup/reset the DB</a>? <p><b>SQL Error:</b>' .mysql_error($conn) . '<p><b>SQL Statement:</b>' . $query)
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 37
Cross Site Scripting (45)Input variable:
$_REQUEST["view_user_name"]
Stack (function/line/file):
0. die() 22 E:\Audit\mutillidae1.3\mutillidae\user-info.php
User input flow:
0. $_REQUEST["view_user_name"]1. $viewusername2. $query
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
37. Cross Site Scripting through echo()
Risk: Code Line: Vuln ID:
MEDIUM 5 60
File:
E:\Audit\mutillidae1.3\mutillidae\view-someones-blog.php
Vulnerability:
5: echo ("<form method=\"POST\" action=\"" .$_SERVER['SCRIPT_NAME'] . "?" .$_SERVER['QUERY_STRING'] . "\">")
Input variable:
$_SERVER['SCRIPT_NAME']
Stack (function/line/file):
0. echo() 4 E:\Audit\mutillidae1.3\mutillidae\view-someones-blog.php
User input flow:
0. $_SERVER['SCRIPT_NAME']
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 38
Cross Site Scripting (45)38. Cross Site Scripting through die()
Risk: Code Line: Vuln ID:
MEDIUM 13 34
File:
E:\Audit\mutillidae1.3\mutillidae\header.php
Vulnerability:
13: die('Did you <a href="setupreset.php">setup/reset the DB</a>? <p><b>SQL Error:</b>' .mysql_error($conn) . '<p><b>SQL Statement:</b>' . $query)
Input variable:
$_REQUEST["password"]
Stack (function/line/file):
0. die() 12 E:\Audit\mutillidae1.3\mutillidae\header.php
User input flow:
0. $_REQUEST["password"]1. $password2. $query
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
39. Cross Site Scripting through echo()
Risk: Code Line: Vuln ID:
MEDIUM 29 56
File:
E:\Audit\mutillidae1.3\mutillidae\user-info.php
Vulnerability:
29: echo ("<b>Password=</b>{$row['password']}<br>")
Input variable:
$_REQUEST["view_user_name"]
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 39
Cross Site Scripting (45)Stack (function/line/file):
0. echo() 28 E:\Audit\mutillidae1.3\mutillidae\user-info.php
User input flow:
0. $_REQUEST["view_user_name"]1. $viewusername2. $query3. $result4. $row
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
40. Cross Site Scripting through echo()
Risk: Code Line: Vuln ID:
MEDIUM 65 37
File:
E:\Audit\mutillidae1.3\mutillidae\header.php
Vulnerability:
65: echo ('<blink><font color="#0000ff"><h2>You are logged in as ' . $logged_in_user . '</h2>' .$logged_in_usersignature . '</font></blink>')
Input variable:
$_COOKIE["uid"]
Stack (function/line/file):
0. echo() 64 E:\Audit\mutillidae1.3\mutillidae\header.php
User input flow:
0. $_COOKIE["uid"]1. $query2. $result3. $row4. $logged_in_user
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 40
Cross Site Scripting (45)
41. Cross Site Scripting through echo()
Risk: Code Line: Vuln ID:
MEDIUM 25 45
File:
E:\Audit\mutillidae1.3\mutillidae\source-viewer.php
Vulnerability:
25: echo ('<b>' . $phpfilename . ' source code:</b>')
Input variable:
$_REQUEST["php_file_name"]
Stack (function/line/file):
0. echo() 24 E:\Audit\mutillidae1.3\mutillidae\source-viewer.php
User input flow:
0. $_REQUEST["php_file_name"]1. $phpfilename
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
42. Cross Site Scripting through echo()
Risk: Code Line: Vuln ID:
MEDIUM 5 19
File:
E:\Audit\mutillidae1.3\mutillidae\add-to-your-blog.php
Vulnerability:
5: echo ("<form method=\"POST\" action=\"" .$_SERVER['SCRIPT_NAME'] . "?" .$_SERVER['QUERY_STRING'] . "\">")
Input variable:
$_SERVER['SCRIPT_NAME']
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 41
Cross Site Scripting (45)Stack (function/line/file):
0. echo() 4 E:\Audit\mutillidae1.3\mutillidae\add-to-your-blog.php
User input flow:
0. $_SERVER['SCRIPT_NAME']
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
43. Cross Site Scripting through echo()
Risk: Code Line: Vuln ID:
MEDIUM 7 43
File:
E:\Audit\mutillidae1.3\mutillidae\source-viewer.php
Vulnerability:
7: echo ("<form method=\"GET\" action=\"" .$_SERVER['SCRIPT_NAME'] . "?" .$_SERVER['QUERY_STRING'] . "\">")
Input variable:
$_SERVER['SCRIPT_NAME']
Stack (function/line/file):
0. echo() 6 E:\Audit\mutillidae1.3\mutillidae\source-viewer.php
User input flow:
0. $_SERVER['SCRIPT_NAME']
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
44. Cross Site Scripting through echo()
Risk: Code Line: Vuln ID:
MEDIUM 40 62
File:
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 42
Cross Site Scripting (45)E:\Audit\mutillidae1.3\mutillidae\view-someones-blog.php
Vulnerability:
40: echo ("<p><b>{$row['blogger_name']}:</b>({$row['date']})<br>{$row['comment']}</p>")
Input variable:
$_REQUEST["show_only_user"]
Stack (function/line/file):
0. echo() 39 E:\Audit\mutillidae1.3\mutillidae\view-someones-blog.php
User input flow:
0. $_REQUEST["show_only_user"]1. $showonlyuser2. $query3. $result4. $row
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
45. Cross Site Scripting through echo()
Risk: Code Line: Vuln ID:
MEDIUM 28 54
File:
E:\Audit\mutillidae1.3\mutillidae\user-info.php
Vulnerability:
28: echo ("<b>Username=</b>{$row['username']}<br>")
Input variable:
$_REQUEST["view_user_name"]
Stack (function/line/file):
0. echo() 27 E:\Audit\mutillidae1.3\mutillidae\user-info.php
User input flow:
0. $_REQUEST["view_user_name"]1. $viewusername
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 43
Cross Site Scripting (45)2. $query3. $result4. $row
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 44
File Manipulation (2)1. File Manipulation through fwrite()
Risk: Code Line: Vuln ID:
MEDIUM 8 63
File:
E:\Audit\mutillidae1.3\mutillidae\catch.php
Vulnerability:
8: fwrite($handle, $msg)
Input variable:
$_REQUEST
Stack (function/line/file):
0. fwrite() 7 E:\Audit\mutillidae1.3\mutillidae\catch.php
User input flow:
0. $_REQUEST1. $v2. $msg
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
2. File Manipulation through fwrite()
Risk: Code Line: Vuln ID:
MEDIUM 8 64
File:
E:\Audit\mutillidae1.3\mutillidae\catch.php
Vulnerability:
8: fwrite($handle, $msg)
Input variable:
$_REQUEST
Stack (function/line/file):
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 45
File Manipulation (2)0. fwrite() 7 E:\Audit\mutillidae1.3\mutillidae\catch.php
User input flow:
0. $_REQUEST1. $k2. $msg
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 46
Misc. Dangerous Functions (25)1. Misc. Dangerous Functions through Error Handling - mysql_error()
Risk: Code Line: Vuln ID:
LOW 11 67
File:
E:\Audit\mutillidae1.3\mutillidae\closedb.inc
Vulnerability:
11: mysql_error
Input variable:
N/A
Stack (function/line/file):
0. Error Handling - mysql_error()() 10 E:\Audit\mutillidae1.3\mutillidae\closedb.inc
User input flow:
0. N/A1. Error Handling - mysql_error
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
2. Misc. Dangerous Functions through Error Handling - mysql_error()
Risk: Code Line: Vuln ID:
LOW 59 71
File:
E:\Audit\mutillidae1.3\mutillidae\header.php
Vulnerability:
59: mysql_error
Input variable:
N/A
Stack (function/line/file):
0. Error Handling - mysql_error()() 58 E:\Audit\mutillidae1.3\mutillidae\header.php
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 47
Misc. Dangerous Functions (25)User input flow:
0. N/A1. Error Handling - mysql_error
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
3. Misc. Dangerous Functions through Error Handling - mysql_error()
Risk: Code Line: Vuln ID:
LOW 58 70
File:
E:\Audit\mutillidae1.3\mutillidae\header.php
Vulnerability:
58: mysql_error
Input variable:
N/A
Stack (function/line/file):
0. Error Handling - mysql_error()() 57 E:\Audit\mutillidae1.3\mutillidae\header.php
User input flow:
0. N/A1. Error Handling - mysql_error
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
4. Misc. Dangerous Functions through Error Handling - mysql_error()
Risk: Code Line: Vuln ID:
LOW 54 80
File:
E:\Audit\mutillidae1.3\mutillidae\setupreset.php
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 48
Misc. Dangerous Functions (25)Vulnerability:
54: mysql_error
Input variable:
N/A
Stack (function/line/file):
0. Error Handling - mysql_error()() 53 E:\Audit\mutillidae1.3\mutillidae\setupreset.php
User input flow:
0. N/A1. Error Handling - mysql_error
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
5. Misc. Dangerous Functions through Information Disclosure - phpinfo()
Risk: Code Line: Vuln ID:
LOW 20 68
File:
E:\Audit\mutillidae1.3\mutillidae\dns-lookup.php
Vulnerability:
20: phpinfo
Input variable:
N/A
Stack (function/line/file):
0. Information Disclosure - phpinfo()() 19 E:\Audit\mutillidae1.3\mutillidae\dns-lookup.php
User input flow:
0. N/A1. Information Disclosure - phpinfo
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 49
Misc. Dangerous Functions (25)
6. Misc. Dangerous Functions through Error Handling - mysql_error()
Risk: Code Line: Vuln ID:
LOW 34 78
File:
E:\Audit\mutillidae1.3\mutillidae\setupreset.php
Vulnerability:
34: mysql_error
Input variable:
N/A
Stack (function/line/file):
0. Error Handling - mysql_error()() 33 E:\Audit\mutillidae1.3\mutillidae\setupreset.php
User input flow:
0. N/A1. Error Handling - mysql_error
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
7. Misc. Dangerous Functions through Error Handling - mysql_error()
Risk: Code Line: Vuln ID:
LOW 45 79
File:
E:\Audit\mutillidae1.3\mutillidae\setupreset.php
Vulnerability:
45: mysql_error
Input variable:
N/A
Stack (function/line/file):
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 50
Misc. Dangerous Functions (25)0. Error Handling - mysql_error()() 44 E:\Audit\mutillidae1.3\mutillidae\setupreset.php
User input flow:
0. N/A1. Error Handling - mysql_error
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
8. Misc. Dangerous Functions through Error Handling - mysql_error()
Risk: Code Line: Vuln ID:
LOW 8 87
File:
E:\Audit\mutillidae1.3\mutillidae\view-someones-blog.php
Vulnerability:
8: mysql_error
Input variable:
N/A
Stack (function/line/file):
0. Error Handling - mysql_error()() 7 E:\Audit\mutillidae1.3\mutillidae\view-someones-blog.php
User input flow:
0. N/A1. Error Handling - mysql_error
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
9. Misc. Dangerous Functions through Error Handling - mysql_error()
Risk: Code Line: Vuln ID:
LOW 35 88
File:
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 51
Misc. Dangerous Functions (25)E:\Audit\mutillidae1.3\mutillidae\view-someones-blog.php
Vulnerability:
35: mysql_error
Input variable:
N/A
Stack (function/line/file):
0. Error Handling - mysql_error()() 34 E:\Audit\mutillidae1.3\mutillidae\view-someones-blog.php
User input flow:
0. N/A1. Error Handling - mysql_error
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
10. Misc. Dangerous Functions through Error Handling - mysql_error()
Risk: Code Line: Vuln ID:
LOW 25 77
File:
E:\Audit\mutillidae1.3\mutillidae\setupreset.php
Vulnerability:
25: mysql_error
Input variable:
N/A
Stack (function/line/file):
0. Error Handling - mysql_error()() 24 E:\Audit\mutillidae1.3\mutillidae\setupreset.php
User input flow:
0. N/A1. Error Handling - mysql_error
Filter:
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 52
Misc. Dangerous Functions (25)No mitigating factors, input variable did not passed through PHP input validation functions.
11. Misc. Dangerous Functions through Error Handling - mysql_error()
Risk: Code Line: Vuln ID:
LOW 4 72
File:
E:\Audit\mutillidae1.3\mutillidae\opendb.inc
Vulnerability:
4: mysql_error
Input variable:
N/A
Stack (function/line/file):
0. Error Handling - mysql_error()() 3 E:\Audit\mutillidae1.3\mutillidae\opendb.inc
User input flow:
0. N/A1. Error Handling - mysql_error
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
12. Misc. Dangerous Functions through Error Handling - mysql_error()
Risk: Code Line: Vuln ID:
LOW 33 65
File:
E:\Audit\mutillidae1.3\mutillidae\add-to-your-blog.php
Vulnerability:
33: mysql_error
Input variable:
N/A
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 53
Misc. Dangerous Functions (25)Stack (function/line/file):
0. Error Handling - mysql_error()() 32 E:\Audit\mutillidae1.3\mutillidae\add-to-your-blog.php
User input flow:
0. N/A1. Error Handling - mysql_error
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
13. Misc. Dangerous Functions through Error Handling - mysql_error()
Risk: Code Line: Vuln ID:
LOW 5 82
File:
E:\Audit\mutillidae1.3\mutillidae\show-log.php
Vulnerability:
5: mysql_error
Input variable:
N/A
Stack (function/line/file):
0. Error Handling - mysql_error()() 4 E:\Audit\mutillidae1.3\mutillidae\show-log.php
User input flow:
0. N/A1. Error Handling - mysql_error
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
14. Misc. Dangerous Functions through Hidden HTML Input - page()
Risk: Code Line: Vuln ID:
LOW 8 84
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 54
Misc. Dangerous Functions (25)File:
E:\Audit\mutillidae1.3\mutillidae\source-viewer.php
Vulnerability:
8: <input type="hidden" name="page" value="' . $_REQUEST["page"] . '">
Input variable:
N/A
Stack (function/line/file):
0. Hidden HTML Input - page() 7 E:\Audit\mutillidae1.3\mutillidae\source-viewer.php
User input flow:
0. N/A1. Hidden HTML Input - page
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
15. Misc. Dangerous Functions through Information Disclosure - phpinfo()
Risk: Code Line: Vuln ID:
LOW 34 74
File:
E:\Audit\mutillidae1.3\mutillidae\register.php
Vulnerability:
34: phpinfo
Input variable:
N/A
Stack (function/line/file):
0. Information Disclosure - phpinfo()() 33 E:\Audit\mutillidae1.3\mutillidae\register.php
User input flow:
0. N/A1. Information Disclosure - phpinfo
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 55
Misc. Dangerous Functions (25)Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
16. Misc. Dangerous Functions through Error Handling - mysql_error()
Risk: Code Line: Vuln ID:
LOW 23 85
File:
E:\Audit\mutillidae1.3\mutillidae\user-info.php
Vulnerability:
23: mysql_error
Input variable:
N/A
Stack (function/line/file):
0. Error Handling - mysql_error()() 22 E:\Audit\mutillidae1.3\mutillidae\user-info.php
User input flow:
0. N/A1. Error Handling - mysql_error
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
17. Misc. Dangerous Functions through Information Disclosure - phpinfo()
Risk: Code Line: Vuln ID:
LOW 15 83
File:
E:\Audit\mutillidae1.3\mutillidae\show-log.php
Vulnerability:
15: phpinfo
Input variable:
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 56
Misc. Dangerous Functions (25)N/A
Stack (function/line/file):
0. Information Disclosure - phpinfo()() 14 E:\Audit\mutillidae1.3\mutillidae\show-log.php
User input flow:
0. N/A1. Information Disclosure - phpinfo
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
18. Misc. Dangerous Functions through Error Handling - mysql_error()
Risk: Code Line: Vuln ID:
LOW 14 75
File:
E:\Audit\mutillidae1.3\mutillidae\setupreset.php
Vulnerability:
14: mysql_error
Input variable:
N/A
Stack (function/line/file):
0. Error Handling - mysql_error()() 13 E:\Audit\mutillidae1.3\mutillidae\setupreset.php
User input flow:
0. N/A1. Error Handling - mysql_error
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
19. Misc. Dangerous Functions through Error Handling - mysql_error()
Risk: Code Line: Vuln ID:
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 57
Misc. Dangerous Functions (25)LOW 67 81
File:
E:\Audit\mutillidae1.3\mutillidae\setupreset.php
Vulnerability:
67: mysql_error
Input variable:
N/A
Stack (function/line/file):
0. Error Handling - mysql_error()() 66 E:\Audit\mutillidae1.3\mutillidae\setupreset.php
User input flow:
0. N/A1. Error Handling - mysql_error
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
20. Misc. Dangerous Functions through Error Handling - mysql_error()
Risk: Code Line: Vuln ID:
LOW 13 69
File:
E:\Audit\mutillidae1.3\mutillidae\header.php
Vulnerability:
13: mysql_error
Input variable:
N/A
Stack (function/line/file):
0. Error Handling - mysql_error()() 12 E:\Audit\mutillidae1.3\mutillidae\header.php
User input flow:
0. N/A1. Error Handling - mysql_error
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 58
Misc. Dangerous Functions (25)Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
21. Misc. Dangerous Functions through Information Disclosure - phpinfo()
Risk: Code Line: Vuln ID:
LOW 45 89
File:
E:\Audit\mutillidae1.3\mutillidae\view-someones-blog.php
Vulnerability:
45: phpinfo
Input variable:
N/A
Stack (function/line/file):
0. Information Disclosure - phpinfo()() 44 E:\Audit\mutillidae1.3\mutillidae\view-someones-blog.php
User input flow:
0. N/A1. Information Disclosure - phpinfo
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
22. Misc. Dangerous Functions through Information Disclosure - phpinfo()
Risk: Code Line: Vuln ID:
LOW 43 66
File:
E:\Audit\mutillidae1.3\mutillidae\add-to-your-blog.php
Vulnerability:
43: phpinfo
Input variable:
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 59
Misc. Dangerous Functions (25)N/A
Stack (function/line/file):
0. Information Disclosure - phpinfo()() 42 E:\Audit\mutillidae1.3\mutillidae\add-to-your-blog.php
User input flow:
0. N/A1. Information Disclosure - phpinfo
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
23. Misc. Dangerous Functions through Error Handling - mysql_error()
Risk: Code Line: Vuln ID:
LOW 28 73
File:
E:\Audit\mutillidae1.3\mutillidae\register.php
Vulnerability:
28: mysql_error
Input variable:
N/A
Stack (function/line/file):
0. Error Handling - mysql_error()() 27 E:\Audit\mutillidae1.3\mutillidae\register.php
User input flow:
0. N/A1. Error Handling - mysql_error
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
24. Misc. Dangerous Functions through Information Disclosure - phpinfo()
Risk: Code Line: Vuln ID:
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 60
Misc. Dangerous Functions (25)LOW 37 86
File:
E:\Audit\mutillidae1.3\mutillidae\user-info.php
Vulnerability:
37: phpinfo
Input variable:
N/A
Stack (function/line/file):
0. Information Disclosure - phpinfo()() 36 E:\Audit\mutillidae1.3\mutillidae\user-info.php
User input flow:
0. N/A1. Information Disclosure - phpinfo
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
25. Misc. Dangerous Functions through Error Handling - mysql_error()
Risk: Code Line: Vuln ID:
LOW 16 76
File:
E:\Audit\mutillidae1.3\mutillidae\setupreset.php
Vulnerability:
16: mysql_error
Input variable:
N/A
Stack (function/line/file):
0. Error Handling - mysql_error()() 15 E:\Audit\mutillidae1.3\mutillidae\setupreset.php
User input flow:
0. N/A1. Error Handling - mysql_error
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 61
Misc. Dangerous Functions (25)Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.
Web Application Static Source Code Security Analysis ReportThunderScan PHP / DefenseCode LLC.
10-07-2012 Page 62
Dangerous File Extensions (1)1. Dangerous File Extensions opendb.inc
Risk: Code Line: Vuln ID:
LOW 1 90
File:
E:\Audit\mutillidae1.3\mutillidae\opendb.inc
Vulnerability:
1: opendb.inc
Input variable:
N/A
Stack (function/line/file):
0. N/A() 0 E:\Audit\mutillidae1.3\mutillidae\opendb.inc
User input flow:
0. N/A
Filter:
No mitigating factors, input variable did not passed through PHP input validation functions.