You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I noticed that the elFinder project uses the cmd GET parameter to handle various operations. However, according to OWASP’s list of top 25 risky parameters, the cmd parameter is considered a security risk, as it is commonly exploited in command injection attacks.
In our company, we enforce strict security policies that block the use of high-risk parameters, including cmd. As a result, integrating elFinder into our system presents a challenge.
Would you consider providing an alternative to the cmd parameter, such as a different naming convention or a more secure approach to handling commands?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hello,
I noticed that the elFinder project uses the cmd GET parameter to handle various operations. However, according to OWASP’s list of top 25 risky parameters, the cmd parameter is considered a security risk, as it is commonly exploited in command injection attacks.
In our company, we enforce strict security policies that block the use of high-risk parameters, including cmd. As a result, integrating elFinder into our system presents a challenge.
Would you consider providing an alternative to the cmd parameter, such as a different naming convention or a more secure approach to handling commands?
Looking forward to your thoughts.
Best regards
Beta Was this translation helpful? Give feedback.
All reactions