Nearly every programming language
allows the use of so called
"system-commands". Many applications
make use of this type of functionality.
System-interfaces in programming
and scripting languages pass
input (commands) to the underlying
operating system the computer
uses. The operating system then
tries to execute the given input
and returns its output to stdout
and various return-codes to
the program (successful, not
successful etc.).
System commands are normally
a very convenient feature. With
little effort it is possible
to add functionality to your
web-application. Common usage
for OS-commands in web applications
is filehandling (remove,copy),
sending emails and calling operating
system tools to modify the applications
input and output in various
ways (filters).
With the aid of error messages,
it is possible to obtain information
about the operating system and
components. This knowledge of
the OS implicates knowledge
of available OS commands and
typical command line tools for
this OS.
Depending on the scripting-
or programming language and
the operating-system it is possible
to:
alter the system commands
alter parameters passed to system
commands
execute additional commands
and OS typical command line
tools.
execute additional commands
within executed command
Not only direct usage of system-commands
is dangerous. Some scripting-languages
like PHP, Perl and others can
automatically execute script
code in:
required or included files
evaluated variables and files
regular expressions
Uploaded files which are passed
to OS commands can also have
special names and or content.
A summary of problems regarding
OS command execution for popular
programming languages follows:
PHP
require()
include()
eval()
preg_replace() (with /e
modifier)
exec()
passthru()
`` (backticks)
system()
popen()
Shell Scripts
are always dangerous
depending heavily on used
Shell
Perl
open() (the #1)
sysopen()
glob()
system()
'' (backticks)
eval()
Java(Servlets, JSP
s)
System.* (especially System.Runtime)
C,C++
system()
exec**()
(strcpy strcat sprintf
vsprintf gets strlen (especially
with null bytes) scanf()
fscanf sscanf vscanf vsscanf
vfscanf realpath getopt
getpass streadd strecpy
strtrns)
Python
exec()
eval()
execfile()
compile()
input()
|
NB : This is just a summary.
Of course every language allows
system commands.
|