Can someone tell me if this code is vulnerable to command injection? At first I was sure it was but even though I'm able to enter whatever I want into the command string that gets passed to the System() call through a GET parameter, it doesn't get executed. I thought maybe the quotes around the variables prevented it from being successful?
This looks vulnerable. How does the user's input make it over to the $cmd variable? via a $_POST parameter? Try manipulating the request with a proxy and see if you can change it's value to get a command executed. If you can break out of the quote, you can append (with &&) additional commands that can get executed.
Sorry for the extremely late reply. Holidays and all that had me spinning in circles. I just got back to this at work today and found that if I edit the PHP and remove the single quotes around $user_input then I can inject a command successfully via that parameter. So I guess those single quotes are protecting the query. I'm not sure if there's a way around that but that's where it stands right now.
Thanks for the suggestion, I hadn't thought of that. I just checked though and it's off. I wonder if there's some sort of other protection somewhere that I can't see. If I run the command from the CLI directly it works fine, but when I pass my input as a parameter it does not. I'll try to dig deeper on it if I can get the time.
Registered users: Iogjenn In total there are 99 users online :: 1 registered, 4 hidden and 94 guests (based on users active over the past 5 minutes) Most users ever online was 1535 on Fri Feb 01, 2008 3:38 pm Legend: Administrators, Global moderators