Skip to content

Update index.php#58

Open
hugbubby wants to merge 3 commits into
masterfrom
hugbubby-patch-16
Open

Update index.php#58
hugbubby wants to merge 3 commits into
masterfrom
hugbubby-patch-16

Echo GET parameter 'test' in index.php

6b1628e
Select commit
Loading
Failed to load commit list.
ZeroPath AI Dev / ZeroPath Security Scan failed Mar 23, 2026 in 1m 21s

Scan completed

Blocking issue(s) found.

Details

2 possible security or compliance issues detected. Reviewed everything up to 6b1628e.

The following issues were found:

  • Issue 1: Cross Site Scripting (XSS)
    • Location: index.php:435-436
    • Score: CRITICAL (90.0)
    • Description: Directly echoes user-controlled GET parameter without any validation or escaping: echo $_GET['asdf'];. This creates a reflected Cross-Site Scripting (XSS) vulnerability because an attacker can craft a URL with JavaScript in the 'asdf' parameter which will be reflected into the page and executed in victims' browsers.
    • Link to UI: https://dev.branch.zeropath.com/app/issues/c8d7c93c-4ba5-4856-bc5c-b42c2e5a472c (Issue 1, id: c8d7c93c-4ba5-4856-bc5c-b42c2e5a472c)
  • Issue 2: Cross Site Scripting (XSS)
    • Location: tags.php:16-17
    • Score: HIGH (81.0)
    • Description: Reflected Cross-Site Scripting (XSS): the new code directly echoes an HTTP GET parameter ($_GET['asdf']) into the HTTP response without any validation or encoding. An attacker can craft a URL such as /tags.php?asdf=<script>alert(1)</script> to execute arbitrary JavaScript in victims' browsers, leading to session theft, CSRF escalation, or other client-side attacks. The echo is also placed before the access check (check_status), which may expose the output to unauthenticated users.
    • Link to UI: https://dev.branch.zeropath.com/app/issues/e5c32dcc-66ec-40f2-bf71-b6687eecac79 (Issue 2, id: e5c32dcc-66ec-40f2-bf71-b6687eecac79)
Security Overview
Detected Code Changes
Change Type Relevant files
Enhancement ► index.php
    Echo GET parameter 'test'
    Echo GET parameter 'asdf'