Available in free version: NO.
Available in commercial version: YES.
If you have any questions, contact us at chorizo at mayflower dot de or use the form on the My Chorizo page.

Morcilla will be included on top of the Standard account at no extra cost. If you are new to Chorizo!, buy your copy today at the registration page. If you are already a user of the free version of Chorizo!, just add the Standard version on your My Chorizo page.

With Morcilla, Chorizo! is able to "look inside" your site you want to scan. All you need to do is to install the Morcilla PHP extension like every other PHP extension on your server. You can find the download link in the My Chorizo section of this site if you are user of the commercial version.

Morcilla is able to hook into every PHP function and expose information to Chorizo!. With this, Chorizo! is able to detect security problems even if you have display_errors=Off on your system. Below you can find a brief description what Morcilla does and what Chorizo! is able to detect:

 

Morcilla tells you where the error has happened:

Have a look at this image. You can see the result layer that Chorizo! displays when you click on a found Morcilla error. Chorizo! is able to tell you which file on the server was affected and on which line the error happened.

In this example, Chorizo! detected a Code Inclusion vulnerability in file utils.php on line 796. You just have to open your preferred editor on this file, have a look on line 796 and fix the bug in an instant. It's just that easy.

 

Morcilla currently hooks by default into the following PHP functions:

• mysql_query, mysql_unbuffered_query, mysql_db_query, mysqli_query, mysqli_prepare, mysqli::query, mysqli::prepare
• shell_exec, exec, passthru, system, popen, proc_open
• preg_replace, preg_replace_callback, usort, array_walk, uasort
• mail
• fopen, readfile, file_get_contents

You can configure your php.ini settings to hook into several other PHP functions.

 

Checking for eval'ed code

Morcilla hooks into the eval() function to trace eval'ed code. With this, Chorizo! is able to detect code inclusions. This feature works on both PHP5 and PHP4, with PHP4 you need to apply the ZendEngine patch.

 

Checking for include/require/include_once/require_once

Morcilla hooks into the include*/require* functions. With this, Chorizo! is able to detect for file inclusions. As above, with PHP4 you need to apply the ZendEngine patch.

 

isset/empty checks for undefined global variables

Morcilla protocols read access to variables. Chorizo! is able to detect if your application makes an isset() or empty() call to an undefined global variable or uses it for example in an print $foo; statement (where $foo is not defined). This works with both PHP4 and PHP5 with the ZendEngine patch.

 

isset/empty checks for $_GET/$_POST/$_COOKIES/$_REQUEST

Morcilla protocols read access to these variables. Chorizo! is able to detect if your application makes an isset() or empty() call to an undefined element of these variables or uses it for example in a print $_GET['article_id'] statement (where $_GET['articleid'] is not defined). This works with both PHP4 and PHP5 with the ZendEngine patch.

Chorizo's Advisor will give you more detailed information about the problem itself, a general solution and provides a solution PHP code how to solve your problem.

Back to Help Center.