Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | High |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
Using user-supplied input (e.g., from $_GET, $_POST, or route parameters) directly in the PHP assert() function is dangerous because it effectively executes arbitrary PHP code from the user. This allows attackers to inject and run malicious code on your server.
Impact#
If exploited, an attacker could execute arbitrary PHP code on your server, potentially taking full control of the application, accessing sensitive data, altering files, or further compromising the server. This can lead to data breaches, defacement, or complete system compromise.