Custodela / Riches

0 stars 3 forks source link

CX Command_Injection @ riches/pages/common/hidden_AdminControl.jsp [master] #288

Open kmcdon83 opened 5 years ago

kmcdon83 commented 5 years ago

Command_Injection issue exists @ riches/pages/common/hidden_AdminControl.jsp in branch master

The application's Runtime.getRuntime method calls an OS (shell) command with exec, at line 95 of riches\pages\common\hidden_AdminControl.jsp, using an untrusted string with the command to execute.   This could allow an attacker to inject an arbitrary command, and enable a Command Injection attack. The attacker may be able to inject the executed command via user input, ""actions"", which is retrieved by the application in the request.getParameter method, at line 74 of riches\pages\common\hidden_AdminControl.jsp.

Severity: High

CWE:77

Vulnerability details and guidance

Internal Guidance

Checkmarx

Lines: 18 74


Code (Line #18):

<% String alertMessage = request.getParameter("message");

Code (Line #74):

   String cmd = request.getParameter("actions");

kmcdon83 commented 5 years ago

Issue still exists.

kmcdon83 commented 5 years ago

Issue still exists.

kmcdon83 commented 5 years ago

Issue still exists.

kmcdon83 commented 5 years ago

Issue still exists.

kmcdon83 commented 5 years ago

Issue still exists.

kmcdon83 commented 4 years ago

Issue still exists.

kmcdon83 commented 4 years ago

Issue still exists.

kmcdon83 commented 4 years ago

Issue still exists.