FUEL-CMS icon indicating copy to clipboard operation
FUEL-CMS copied to clipboard
verified publisher icon daylightstudio

json_decode is dangerous

Open QiAnXinCodeSafe opened this issue 7 years ago • 0 comments

This json_decode will cause code injection. Such as json_decode("1;echo 1;")) https://github.com/daylightstudio/FUEL-CMS/blob/b24104b1152601e0c2f834b87c36e954e90912e8/fuel/modules/fuel/helpers/compatibility_helper.php#L44

Here json_decode data from COOKIE: https://github.com/daylightstudio/FUEL-CMS/blob/b24104b1152601e0c2f834b87c36e954e90912e8/fuel/modules/fuel/controllers/Module.php#L2173

QiAnXinCodeSafe avatar Jun 22 '18 09:06 QiAnXinCodeSafe