Description

This script is vulnerable to code execution attacks.

Code injection vulnerabilities occur where the output or content served from a Web application can be manipulated in such a way that it triggers server-side code execution. In some poorly written Web applications that allow users to modify server-side files (such as by posting to a message board or guestbook) it is sometimes possible to inject code in the scripting language of the application itself.

Remediation

Your script should filter metacharacters from user input.

References

Security Focus - Penetration Testing for Web Applications (Part Two)

OWASP PHP Top 5

Related Vulnerabilities

WordPress Plugin ProfileGrid-User Profiles, Groups and Communities Remote Code Execution (2.8.5)

XWiki Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2023-30537)

Unauthenticated Remote Code Execution via JSONWS in Liferay 6.1 (LPS-88051)

ImageMagick remote code execution

WordPress 6.2.x Shortcode Execution (6.2 - 6.2.1)

Severity

Critical

Classification

CWE-94 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

Code Execution