Many websites make use of command line calls to read files,
send emails, and perform other native operations. If your site
transforms untrusted input into shell commands, you need to take care
to sanitize the input.
If you don't, an attacker will be able to craft HTTP requests that execute whatever command they want.
Let's see how easy it is.
Imagine you run a simple site that performs DNS lookups.
Your site shells out to the
nslookup command, then prints the result.
Have a look at the code. Since the
domain
parameter is not sanitized, you are vulnerable to command injection.
Slim is a no-good basement-dweller who wants to hack your
website. He has already noticed you are running PHP, and
wonders how he can take advantage of that.
While running a simple domain lookup, he notices that the domain is
passed in the query string under the
domain parameter.
He guesses that the IP lookup is performed via an operating system
function, and attempts to tag on an extra command on the end.
Success! Slim can see the output of his
echo
command on the web page. This demonstrates that your site is vulnerable to
command execution.
Now he has a mechanism to execute code on the server.
This is very bad news.
You try it!
Add the command
cat /etc/passwd on the end of the search
term to read a sensitive file on the server.
