Mitigation
The mitigation for these vulnerabilities is a little tricky; actually, when you report an SSTI, it's complicated to explain, as a big SSTI is usually classified as another vulnerability. The next points are important to keep in mind while writing recommendations for your report:
- Validate the strings loaded as you were using an
eval()
function. - Implement protections for Local File Inclusions (LFIs). When a functionality is added through an attack, it works as a
require
function. - Do not pass dynamic data directly to a template. Instead, use the engine's built-in functionality.