From Syhunt Web Application Security Docs

Vulnerabilities: Remote Command Execution

Command Execution

Detected by Syhunt: Yes (locally, remotely)
Type: Injection Flaw
Also Known As: RCE, OS Commanding, OS Injection, Command Injection
CWE: 78

Many web sites contain flaws that may allow remote attackers to execute arbitrary commands. The issue happens when a script fails to properly sanitize shell metacharacters. By sending a specially crafted request, attackers can execute arbitrary commands with the privileges of the web server.

Detailed Information

Examples of vulnerable code

Below you can find very basic examples of command execution vulnerabilities.

JSP

 
<%
Runtime.getRuntime().exec(request.getParameter("cmd"));
%>
 

Syhunt scan results for this example code:

Found: 1 vulnerability
In /rce_basic.jsp (source code, locally), on line 2:
  Possible Command Execution Vulnerability

PHP

 
<?
$cmd = $_GET['command'];
passthru('SomeApp.exe '.$cmd);
?>
 

Syhunt scan results for this example code:

Found: 1 vulnerability
In /rce_basic.php (source code, locally), affecting parameter "command", on lines 2,3:
  Possible Command Execution Vulnerability
Retrieved from http://www.syhunt.com/docwiki/index.php?n=Vulnerabilities.CommandExecution
Page last modified on October 24, 2010, at 05:28 AM