CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')

Description

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE

Example Vulnerable Codes

Example - 1

This example attempts to write user messages to a message file and allow users to view them.



$name = $_GET["name"];$message = $_GET["message"];$handle = fopen($MessageFile, "a+");fwrite($handle, "<b>$name</b> says '$message'<hr>\n");fclose($handle);echo "Message Saved!<p>\n";
include($MessageFile);$MessageFile = "messages.out";if ($_GET["action"] == "NewMessage") {}else if ($_GET["action"] == "ViewMessages") {}

While the programmer intends for the MessageFile to only include data, an attacker can provide a message such as:


name=h4x0rmessage=%3C?php%20system(%22/bin/ls%20-l%22);?%3E

which will decode to the following:

<?php system("/bin/ls -l");?>

The programmer thought they were just including the contents of a regular data file, but PHP parsed it and executed the code. Now, this code is executed any time people view messages.

Notice that XSS (CWE-79) is also possible in this situation.

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-94: Improper Control of Generation of Code ('Code Injection')

Go to

CWE-97: Improper Neutralization of Server-Side Includes (SSI) Within a Web Page

Go to

Visit http://cwe.mitre.org/ for more details.