When a web application does not properly sanitize user supplied

input before using it within application code, it may be possible to trick

the application into executing Operating System commands. The

executed commands will run with the same permissions of the

component that executed the command (e.g. Database server, Web

application server, Web server, etc.).

Example

Perl allows piping data from a process into an open statement, by

appending a  |  (Pipe) character onto the end of a filename.

Pipe character examples:

# Execute "/bin/ls" and pipe the output to the

open statement

open(FILE, "/bin/ls|")

Web applications often include parameters that specify a file that is

displayed or used as a template. If the web application does not

properly sanitize the input provided by a user, an attacker may

change the parameter value to include a shell command followed by

the pipe symbol (shown above).

If the original URL of the web application is:

http://example/cgi 

bin/showInfo.pl?name=John&template=tmp1.txt

Changing the template parameter value, the attacker can trick the

web application into executing the command /bin/ls:

http://example /cgi 

bin/showInfo.pl?name=John&template=/bin/ls|

Most scripting languages enable programmers to execute Operating

System commands during run time, by using various exec functions.

If the web application allows user supplied input to be used inside

34

Copyright 2004, Web Application Security Consortium. All rights reserved.