Remote Code Execution Vulnerability in gridx latest version

hi,
We found a remote code execution vulnerability in gridx latest version that could allow an attacker to remotely execute arbitrary code to attack an attack server.
![image](https://user-images.githubusercontent.com/29913520/59477784-54730a80-8e89-11e9-9d56-a78b307f9780.png)
code line in 265: The query parameter is directly brought into the eval function.

payload:
http://127.0.0.1/gridx-master/tests/support/stores/test_grid_filter.php?query=phpinfo();

This payload execution phpinfo();

![image](https://user-images.githubusercontent.com/29913520/59477864-a9168580-8e89-11e9-80e6-495f4041b438.png)

fix:
In php, the eval function is dangerous. It is not recommended to use it. If you must use it, you need to limit the incoming data.



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Remote Code Execution Vulnerability in gridx latest version #433

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Remote Code Execution Vulnerability in gridx latest version #433

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions