Operating System Command Injection

Critical Web Application Scanning Plugin ID 98123

Synopsis

Operating System Command Injection

Description

OS command injection occurs when user supplied input is used to form a command
 to be executed by the operating system.

 Scanner was able to inject specific Operating System commands and have the output
 from that command contained within the server response. This indicates that input
 is not being sanitized properly.

Solution

It is recommended that untrusted data is never used to form a command to be executed by the OS.
 To validate data, the application should ensure that the supplied value contains only the characters that are required to perform the required action.

See Also

https://www.owasp.org/index.php/OS_Command_Injection

http://projects.webappsec.org/w/page/13246950/OS%20Commanding

Plugin Details

Severity: Critical

ID: 98123

Type: remote

Published: 2017/03/31

Updated: 2017/10/16

Risk Information

Risk Factor: Critical

CVSS v2.0

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS v3.0

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference Information

CWE: 78

WASC: OS Commanding

OWASP: 2010-A1, 2013-A1, 2017-A1