SYM_PHP_0017 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') |
| OWASP | A03:2021 - Injection |
| Confidence Level | High |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description
Using user-supplied input (e.g., from $_GET, $_POST, or route parameters) directly in the PHP assert() function is dangerous because it effectively executes arbitrary PHP code from the user. This allows attackers to inject and run malicious code on your server.
Impact
If exploited, an attacker could execute arbitrary PHP code on your server, potentially taking full control of the application, accessing sensitive data, altering files, or further compromising the server. This can lead to data breaches, defacement, or complete system compromise.