Nearly every programming language allows the use of so called "system-commands". Many applications make use of this type of functionality. System-interfaces in programming and scripting languages pass input (commands) to the underlying operating system the computer uses. The operating system then tries to execute the given input and returns its output to stdout and various return-codes to the program (successful, not successful etc.).

System commands are normally a very convenient feature. With little effort it is possible to add functionality to your web-application. Common usage for OS-commands in web applications is filehandling (remove,copy), sending emails and calling operating system tools to modify the applications input and output in various ways (filters).

With the aid of error messages, it is possible to obtain information about the operating system and components. This knowledge of the OS implicates knowledge of available OS commands and typical command line tools for this OS.

Depending on the scripting- or programming language and the operating-system it is possible to:

alter the system commands
alter parameters passed to system commands
execute additional commands and OS typical command line tools.
execute additional commands within executed command


Not only direct usage of system-commands is dangerous. Some scripting-languages like PHP, Perl and others can automatically execute script code in:

required or included files
evaluated variables and files
regular expressions

Uploaded files which are passed to OS commands can also have special names and or content.


A summary of problems regarding OS command execution for popular programming languages follows:

NB : This is just a summary. Of course every language allows system commands.