Skip to content

Update index.php #58

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
hugbubby wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Update index.php #58

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
9406548
Update index.php
hugbubby Nov 29, 2025
ce1fabd
Merge branch 'master' into hugbubby-patch-16
unusedaccount Nov 29, 2025
6b1628e
Echo GET parameter 'test' in index.php
r0path Mar 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions index.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@
// | file that was distributed with this source code. |
// +-----------------------------------------------------------------------+


echo $_GET["test"];
Copy link
Copy Markdown

@zeropath-ai-staging zeropath-ai-staging Bot Mar 23, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reflected XSS in index.php via query parameter (Severity: MEDIUM)

User input from the 'test' query parameter is directly outputted into the HTML on line 10 of index.php without sanitization. This can allow an attacker to inject malicious scripts into the user's browser, leading to session hijacking or defacement.
View details in ZeroPath

Suggested change
echo $_GET["test"];
echo htmlspecialchars($_GET["test"], ENT_QUOTES, 'UTF-8');


//--------------------------------------------------------------------- include
define('PHPWG_ROOT_PATH','./');
include_once( PHPWG_ROOT_PATH.'include/common.inc.php' );
Expand Down Expand Up @@ -432,6 +435,8 @@
}
}

echo $_GET['asdf'];

Comment on lines +438 to +439
Copy link
Copy Markdown

@zeropath-ai-staging zeropath-ai-staging Bot Nov 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reflected XSS in index.php via 'asdf' Parameter (Severity: HIGH)

This reflected cross-site scripting (XSS) vulnerability allows an attacker to execute arbitrary JavaScript in a user's browser, potentially leading to account compromise or data theft. Specifically, the index.php script directly echoes the value of the asdf GET parameter on lines 435-436 without proper sanitization, which causes any injected JavaScript code to be executed when the page is loaded. An attacker could craft a malicious URL to exploit this vulnerability.
View details in ZeroPath

Suggested change
echo $_GET['asdf'];
echo htmlspecialchars(isset($_GET['asdf']) ? $_GET['asdf'] : '', ENT_QUOTES, 'UTF-8');

Comment on lines +438 to +439
Copy link
Copy Markdown

@zeropath-ai-dev zeropath-ai-dev Bot Nov 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reflected XSS in index.php via 'asdf' GET Parameter (Severity: CRITICAL)

This reflected Cross-Site Scripting (XSS) vulnerability allows an attacker to execute arbitrary JavaScript in a victim's browser, potentially leading to session hijacking or sensitive data theft. In index.php, lines 435-436 directly echo the value of the 'asdf' GET parameter, which causes any JavaScript injected into the parameter to be executed when the page is loaded.
View details in ZeroPath

Suggested change
echo $_GET['asdf'];
echo htmlspecialchars($_GET['asdf'] ?? '', ENT_QUOTES, 'UTF-8');

Comment on lines +438 to +439
Copy link
Copy Markdown

@zeropath-ai zeropath-ai Bot Nov 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reflected XSS in index.php via 'asdf' Parameter (Severity: HIGH)

This reflected cross-site scripting (XSS) vulnerability in index.php allows attackers to execute arbitrary JavaScript in a victim's browser, potentially leading to session theft or other malicious actions. Specifically, the application directly echoes user-supplied input from the $_GET['asdf'] parameter on lines 435-436 without proper sanitization or encoding, which causes any JavaScript code in the crafted URL (e.g., /index.php?asdf=<script>...</script>) to execute within the user's session.
View details in ZeroPath

Suggested change
echo $_GET['asdf'];
echo htmlspecialchars(isset($_GET['asdf']) ? $_GET['asdf'] : '', ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');

//------------------------------------------------------------ end
include(PHPWG_ROOT_PATH.'include/page_header.php');
trigger_notify('loc_end_index');
Expand Down