incorrect results / false positives about iniscan HOT 9 OPEN

The bug is here:
https://github.com/psecio/iniscan/blob/master/src/Psecio/Iniscan/Rule.php#L369
Instead of $test->value which returns
https://github.com/psecio/iniscan/blob/master/src/Psecio/Iniscan/rules.json#L148
should be $ini[$test->key] are set.

from iniscan.

Hmm, interesting - I'll have to look into this one further to see what's happening here. There's "casting" functionality in the Psecio\Iniscan\Cast class that tries to normalize out the 1/0/Off/On/etc values to the same result but maybe there's something getting lost in the shuffle there with some of the PHP 7 updates.

from iniscan.

I encountered the same thing. +1 for fixing it.

from iniscan.

@enygma The cast is correct. It seems more an error with the "current value" column.
See my example for "allow_url_fopen".

The real value:

The result of iniscan:

Current value shows "0" but is definitly 1 ("On").

from iniscan.

Hmm, trying to reproduce this one but it seems that things are reporting back correctly on a PHP 7.0 configuration file. I've tried:

allow_url_fopen = Off
allow_url_fopen = 0

Both seem to work as expected:

PASS   | ERROR    | 4.0.3       | 0             | allow_url_fopen               | Do not allow the opening of remote file resources ('Off' recommended)

Is there something I'm missing to reproduce this issue?

from iniscan.

(discard warning about session.cookie_httponly, it was my mistake, sorry about the noise)

from iniscan.

@tommy-muehle any update on how to reproduce this?

from iniscan.

@enygma
Sorry for the late response!

I tried it also with my iniscan Docker container and this ini file.

Here are the steps to reproduce:

cd /tmp
curl -o php.ini https://gist.githubusercontent.com/tommy-muehle/4a59294d1799c19254780788f1f6f1e6/raw/e6133995df411ecf158892d338512a11949863d6/php.ini
docker run --rm -ti -v $(pwd):/tmp dockerizedphp/iniscan scan --fail-only --path=/tmp/php.ini

Inside the container runs PHP 7.1 if this is necessary.

from iniscan.

For upload_max_filesize (16M -> 2M), post_max_size (24M -> 8M) and memory_limit (256M -> 128M) it returns me the default value and not the current value. For allow_url_fopen it cast me On to 0. And for disable_functions it displays and empty value instead of pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,.
Also for session.use_strict_mode the value is 0 but is displays 1, however it still detect it as failed so the cast occurs after.
Happening on PHP 7.4 if that matters.

from iniscan.