such a function call without being sanitized first, it may be possible for
an attacker to run Operating System commands remotely. For
example, here is a part of a PHP script, which presents the contents
of a system directory (on Unix systems):
Execute a shell command:
exec("ls la $dir",$lines,$rc);
By appending a semicolon (;) followed by an Operating System
command, it is possible to force the web application into executing
the second command:
http://example/directory.php?dir=%3Bcat%20/etc/pass
wd
The result will retrieve the contents of the /etc/passwd file.
References
Perl CGI Problems", By RFP Phrack Magazine, Issue 55
http://www.wiretrip.net/rfp/txt/phrack55.txt
(See "That pesky pipe" section)
Marcus Xenakis directory.php Shell Command Execution
Vulnerability
http://www.securityfocus.com/bid/4278
NCSA Secure Programming Guidelines
http://archive.ncsa.uiuc.edu/General/Grid/ACES/security/programmin
g/#cgi
35
Copyright 2004, Web Application Security Consortium. All rights reserved.
Unlimited Web Hosting
|
|
|
|
TotalRoute.net Business web hosting division of Vision Web Hosting Inc. All rights reserved. |