SoftwareSecurity2014/Group 6/Code Scanning/RATS
Uit Werkplaats
< SoftwareSecurity2014 | Group 6 | Code Scanning
RATS
installer/test.php:325: High: mail installer/test.php:327: High: mail program/lib/Roundcube/rcube.php:1541: High: mail program/lib/Roundcube/rcube.php:1543: High: mail Arguments 1, 2, 4 and 5 of this function may be passed to an external program. (Usually sendmail). Under Windows, they will be passed to a remote email server. If these values are derived from user input, make sure they are properly formatted and contain no unexpected characters or extra data. installer/rcube_install.php:752: High: system Argument 1 to this function call should be checked to ensure that it does not come from an untrusted source without first verifying that it contains nothing dangerous. plugins/debug_logger/runlog/runlog.php:114: High: fopen plugins/zipdownload/zipdownload.php:132: High: fopen plugins/zipdownload/zipdownload.php:226: High: fopen plugins/filesystem_attachments/filesystem_attachments.php:85: High: fopen plugins/enigma/lib/enigma_driver_phpssl.php:96: High: fopen program/lib/Mail/mime.php:769: High: fopen program/lib/Mail/mime.php:814: High: fopen program/lib/Mail/mimePart.php:375: High: fopen program/lib/Mail/mimePart.php:518: High: fopen program/lib/Roundcube/rcube_imap_generic.php:2780: High: fopen program/lib/Roundcube/rcube.php:1139: High: fopen program/lib/Roundcube/rcube.php:1479: High: fopen program/lib/Crypt/GPG/PinEntry.php:292: High: fopen program/lib/Crypt/GPG.php:1548: High: fopen program/lib/Crypt/GPG.php:1649: High: fopen program/lib/Crypt/GPG.php:1665: High: fopen program/lib/Crypt/GPG.php:1749: High: fopen program/lib/Crypt/GPG.php:1772: High: fopen program/lib/Crypt/GPG.php:1874: High: fopen program/lib/Crypt/GPG.php:1889: High: fopen program/lib/Crypt/GPG.php:2034: High: fopen program/lib/Crypt/GPG.php:2050: High: fopen program/lib/Crypt/GPG.php:2170: High: fopen program/lib/Crypt/GPG.php:2279: High: fopen program/lib/Crypt/GPG.php:2301: High: fopen Argument 1 to this function call should be checked to ensure that it does not come from an untrusted source without first verifying that it contains nothing dangerous. plugins/password/helpers/chgdbmailusers.c:19: High: fixed size local buffer Extra care should be taken to ensure that character arrays that are allocated on the stack are used safely. They are prime targets for buffer overflow attacks. plugins/password/helpers/chgdbmailusers.c:21: High: strcpy Check to be sure that argument 2 passed to this function call will not copy more data than can be handled, resulting in a buffer overflow. plugins/password/helpers/chgdbmailusers.c:28: High: strcat Check to be sure that argument 2 passed to this function call will not copy more data than can be handled, resulting in a buffer overflow. plugins/password/helpers/chgdbmailusers.c:38: High: system Argument 1 to this function call should be checked to ensure that it does not come from an untrusted source without first verifying that it contains nothing dangerous. plugins/password/drivers/expect.php:39: High: popen plugins/password/drivers/chpasswd.php:22: High: popen plugins/password/drivers/pw_usermod.php:24: High: popen plugins/password/drivers/smb.php:36: High: popen Argument 1 to this function call should be checked to ensure that it does not come from an untrusted source without first verifying that it contains nothing dangerous. installer/rcube_install.php:567: Medium: is_readable A potential TOCTOU (Time Of Check, Time Of Use) vulnerability exists. This is the first line where a check has occured. The following line(s) contain uses that may match up with this check: 476 (basename) program/lib/Roundcube/rcube_mime.php:814: Medium: is_readable A potential TOCTOU (Time Of Check, Time Of Use) vulnerability exists. This is the first line where a check has occured. The following line(s) contain uses that may match up with this check: 815 (file) program/lib/Roundcube/rcube_spellcheck_googie.php:83: Medium: fsockopen Argument 1 to this function call should be checked to ensure that it does not come from an untrusted source without first verifying that it contains nothing dangerous. program/lib/Crypt/GPG/Engine.php:535: Medium: is_dir A potential TOCTOU (Time Of Check, Time Of Use) vulnerability exists. This is the first line where a check has occured. The following line(s) contain uses that may match up with this check: 536 (mkdir), 539 (chmod) plugins/password/drivers/directadmin.php:230: Medium: fsockopen program/lib/Roundcube/rcube_imap_generic.php:750: Medium: fsockopen program/lib/Roundcube/rcube_spellcheck_atd.php:92: Medium: fsockopen Argument 1 to this function call should be checked to ensure that it does not come from an untrusted source without first verifying that it contains nothing dangerous. program/lib/Mail/mime.php:760: Medium: is_writable A potential TOCTOU (Time Of Check, Time Of Use) vulnerability exists. This is the first line where a check has occured. The following line(s) contain uses that may match up with this check: 769 (fopen), 814 (fopen) program/lib/Mail/mimePart.php:370: Medium: is_writable A potential TOCTOU (Time Of Check, Time Of Use) vulnerability exists. This is the first line where a check has occured. The following line(s) contain uses that may match up with this check: 375 (fopen), 518 (fopen) plugins/enigma/lib/enigma_driver_gnupg.php:58: Medium: is_writable A potential TOCTOU (Time Of Check, Time Of Use) vulnerability exists. This is the first line where a check has occured. The following line(s) contain uses that may match up with this check: 66 (mkdir) plugins/enigma/lib/enigma_driver_phpssl.php:56: Medium: is_writable A potential TOCTOU (Time Of Check, Time Of Use) vulnerability exists. This is the first line where a check has occured. The following line(s) contain uses that may match up with this check: 64 (mkdir) plugins/squirrelmail_usercopy/squirrelmail_usercopy.php:118: Medium: is_readable A potential TOCTOU (Time Of Check, Time Of Use) vulnerability exists. This is the first line where a check has occured. The following line(s) contain uses that may match up with this check: 120 (file) installer/rcube_install.php: 444: file plugins/zipdownload/zipdownload.php: 272: readfile plugins/squirrelmail_usercopy/squirrelmail_usercopy.php: 120: file plugins/squirrelmail_usercopy/squirrelmail_usercopy.php: 141: file plugins/redundant_attachments/redundant_attachments.php: 198: read plugins/redundant_attachments/redundant_attachments.php: 202: read plugins/database_attachments/database_attachments.php: 114: read plugins/virtuser_file/virtuser_file.php: 88: file plugins/enigma/lib/enigma_engine.php: 223: fgets plugins/password/drivers/directadmin.php: 302: fgets plugins/password/drivers/smb.php: 42: file plugins/password/drivers/ximss.php: 48: fgets program/lib/Mail/mimePart.php: 528: fgets program/lib/Net/Sieve.php: 1023: read program/lib/Net/Socket.php: 341: fgets program/lib/Net/Socket.php: 343: fgets program/lib/Net/Socket.php: 359: read program/lib/Net/Socket.php: 576: fgets program/lib/Roundcube/rcube_imap_generic.php: 186: fgets program/lib/Roundcube/rcube_imap_generic.php: 764: fgets program/lib/Roundcube/rcube_spellcheck_atd.php: 103: fgets program/lib/Roundcube/rcube_spellcheck_atd.php: 109: fgets program/lib/Roundcube/rcube_config.php: 62: getenv program/lib/Roundcube/rcube_cache_shared.php: 126: read program/lib/Roundcube/rcube_spellcheck_googie.php: 94: fgets program/lib/Roundcube/rcube_mime.php: 815: file program/lib/Roundcube/rcube_cache.php: 129: read program/lib/Roundcube/rcube_utils.php: 712: getallheaders program/lib/Roundcube/rcube_utils.php: 1021: fgets program/lib/Crypt/GPG/Engine.php: 521: getenv program/lib/Crypt/GPG/PinEntry.php: 230: fgets program/lib/Crypt/GPG/PinEntry.php: 483: getenv Double check to be sure that all input accepted from an external data source does not exceed the limits of the variable being used to hold it. Also make sure that the input cannot be used in such a manner as to alter your program's behaviour in an undesirable way. Total lines analyzed: 82487 Total time 0.180570 seconds 456814 lines per second