CX Command_Injection @ website/pictures/high_quality.php [master]

[vish07]

Command_Injection issue exists @ website/pictures/high_quality.php in branch master

The application's <?php method calls an OS (shell) command with passthru, at line 1 of website\pictures\high_quality.php, using an untrusted string with the command to execute.   This could allow an attacker to inject an arbitrary command, and enable a Command Injection attack. The attacker may be able to inject the executed command via user input, _GET, which is retrieved by the application in the <?php method, at line 1 of website\pictures\high_quality.php.

Severity: High

CWE:77

Vulnerability details and guidance

Checkmarx

Lines: 18

---

Code (Line #18):

$pic = Pictures::get_picture($_GET['picid']);

---

[vish07]

Issue still exists.

[vish07]

Issue still exists.