Recently during a pentest on the code generated by PHPMaker v2026.9, I get the following report:
The improper decryption vulnerability occurs in the Decrypt() function located in the src/phpfn.php file due to incorrect implementation logic. Specifically, when the decryption process fails, the server returns the original input data instead of throwing an error or terminating execution to indicate that the provided data is invalid.
If exploited, this vulnerability may allow an attacker to supply malicious data in raw text format without providing a valid AES-encrypted ciphertext as expected by the application. As a result, attackers may bypass security assumptions made by the system and potentially leverage this behavior as a stepping stone to exploit other vulnerabilities such as unsafe deserialization, SQL injection, or other injection-based attacks.
// Decrypt by AES
function Decrypt(string $str, string $key = ""): string
{
if (IsEmpty($str)) {
return $str;
}
try {
if ($key) {
return (new Encrypter(AesEncryptionKey($key), Config("AES_ENCRYPTION_CIPHER")))->decryptString($str);
} else {
return Container(Encrypter::class)->decryptString($str);
}
} catch (DecryptException $e) {
if (IsDebug()) {
LogError("Failed to decrypt. " . $e->getMessage());
}
return $str;
}
}
As for now, I change the return $str to return "" and force LogError if it failed (to detect malicious attempt).