PHP
This article covers PHP support and vulnerability detection for Mend SAST.
Mend SAST-supported PHP file types
**Note: These extensions are marked as ‘Secondary’ file extensions.
They will only be scanned if at least one file with any of the other ‘Primary’ file extensions is present to identify the language as the relevant language.
File Type |
|---|
.php |
.php2** |
.php3** |
.php4** |
.php5** |
.php6** |
.phtm** |
Mend SAST-supported PHP frameworks
Framework |
|---|
Cake PHP |
CodeIgniter |
Kohana |
Laravel |
Phalcon |
Symfony |
Yii |
Zend |
Mend SAST-supported PHP vulnerability types
The PHP vulnerability types detected by SAST are provided below, organized by CWE ID within each of their identified severities.
PHP high-severity vulnerability types
CWE | Vulnerability Type |
CWE-22 | Path/Directory Traversal |
CWE-73 | File Manipulation |
CWE-78 | Command Injection |
CWE-78 | FTP Command Injection |
CWE-79 | Cross-Site Scripting |
CWE-89 | SQL Injection |
CWE-94 | Code Injection |
CWE-98 | PHP File Inclusion |
CWE-384 | Session Fixation |
CWE-502 | Deserialization of Untrusted Data |
CWE-643 | XPath Injection |
CWE-918 | Server-Side Request Forgery |
PHP medium-severity vulnerability types
CWE | Vulnerability Type |
CWE-90 | LDAP Injection |
CWE-209 | Error Messages Information Exposure |
CWE-209 | Log Messages Information Leak |
CWE-338 | Weak Pseudo-Random |
CWE-400 | Regex Denial of Service (ReDoS) |
CWE-472 | Hidden HTML Input |
CWE-611 | XML External Entity (XXE) Injection |
CWE-676 | Miscellaneous Dangerous Functions |
CWE-798 | Hardcoded Password/Credentials |
PHP low-severity vulnerability types
CWE | Vulnerability Type |
CWE-20 | Mail Relay |
CWE-20 | Cookie Injection |
CWE-113 | HTTP Header Injection |
CWE-113 | HTTP Response Splitting |
CWE-326 | Weak Encryption Strength |
CWE-434 | File Upload |
CWE-530 | Dangerous File Extensions |
CWE-601 | Unvalidated/Open Redirect |
CWE-941 | Arbitrary Server Connection |
CWE-1004 | Cookie Without 'HttpOnly' Flag |