Description

This script is vulnerable to code execution attacks.

Code injection vulnerabilities occur where the output or content served from a Web application can be manipulated in such a way that it triggers server-side code execution. In some poorly written Web applications that allow users to modify server-side files (such as by posting to a message board or guestbook) it is sometimes possible to inject code in the scripting language of the application itself.

Remediation

Your script should filter metacharacters from user input.

References

Security Focus - Penetration Testing for Web Applications (Part Two)

OWASP PHP Top 5

Related Vulnerabilities

Rails remote code execution using render :inline

WordPress Plugin PropertyHive Remote Code Execution (1.4.25)

WordPress 2.1.1 Command Execution Backdoor Vulnerability (2.1.1)

Unauthenticated OGNL injection in Confluence Server and Data Center

Cacti Unauthenticated Command Injection (CVE-2022-46169)

Severity

Critical

Classification

CWE-94 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

Code Execution