Interpreting user-controlled instructions at run-time can allow attackers to execute malicious code

[cehd]

Hi guys, from our EH process we've got this report:

The file mootools-1.2-core-nc.js interprets unvalidated user input as source code on line 34. Interpreting user-controlled instructions at run-time can allow attackers to execute malicious code.Interpreting user-controlled instructions at run-time can allow attackers to execute malicious code.

I wanna know if u know about this issue, maybe it's a false/positive, but I would ask u first. Just in case if it's an know issue, from what version was it solved?

Regards!!

[DimitarChristoff]

This is probably to do with the old eval based packer. It's also 5+ years old, and realistically given the custom mootools packer and lack of code you posted, impossible to determine. Going forward just use 1.5+ without compat mode

On Mon, 5 Feb 2018 at 9:24 pm, cehd ***@***.***> wrote: Hi guys, from our EH process we've got this report: The file mootools-1.2-core-nc.js interprets unvalidated user input as source code on line 34. Interpreting user-controlled instructions at run-time can allow attackers to execute malicious code.Interpreting user-controlled instructions at run-time can allow attackers to execute malicious code. I wanna know if u know about this issue, maybe it's a false/positive, but I would ask u first. Just in case if it's an know issue, from what version was it solved? Regards!! — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#2792>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAHSzGLQdazSluG6QgNBigbdvUPr2-LQks5tR2OEgaJpZM4R6C9Q> .

-- Dimitar Christoff "JavaScript is to JAVA what hamster is to ham" @D_mitar - https://github.com/DimitarChristoff