search

kmcdon83 / DVWA

Damn Vulnerable Web Application (DVWA)
http://dvwa.co.uk
GNU General Public License v3.0
0 stars 1 forks source link

CX Command_Injection @ vulnerabilities/exec/source/medium.php [master] #17

Open ghost opened 3 years ago

ghost commented 3 years ago

Command_Injection issue exists @ vulnerabilities/exec/source/medium.php in branch master

The application's <?php method calls an OS (shell) command with shell_exec, at line 1 of vulnerabilities\exec\source\medium.php, using an untrusted string with the command to execute.   This could allow an attacker to inject an arbitrary command, and enable a Command Injection attack. The attacker may be able to inject the executed command via user input, _REQUEST, which is retrieved by the application in the <?php method, at line 1 of vulnerabilities\exec\source\medium.php.

Severity: High

CWE:77

Vulnerability details and guidance

Internal Guidance

Checkmarx

Training Recommended Fix

Lines: 5

Code (Line #5):

    $target = $_REQUEST[ 'ip' ];
ghost commented 3 years ago

Issue still exists.

ghost commented 3 years ago

Issue still exists.

ghost commented 3 years ago

Issue still exists.

ghost commented 3 years ago

Issue still exists.