Spike PHP Security Audit Tool project is a tool that performs a static analysis of PHP code for security exploits.
To install, unzip Spike phpSecAudit package.
> unzip spike_phpSecAudit.zip
Change directory to your php repository.
> cd /path/to/code/to/audit
Execute the run.php, passing the file name or directory to audit.
> php /path/to/spike_phpSecAudit/run.php test_file.php
> php /path/to/spike_phpSecAudit/run.php dir_name
What's New in This Release:
· Modified to be PHP 4 friendly.
· A few functions have been added to the knowledge base: extract, shell_exec, pcntl_exec, and exec.
· The organization of the knowledge base file (vuln_db.xml) has been slightly improved.
· The _getAllPhpFiles function may miss a few (unverified).
· The tokenizer needs to be able to differentiate between a native function call and class method call of the same name, i.e. mail() and $class->mail().