Sin 5: Command Injection

Overview of the Sin

In 1994, the author of this chapter was sitting in front of an SGI computer running IRIX that was simply showing the login screen. It gave the option to print some documentation and specify the printer to use. The author imagined what the implementation might be, specified a string that didnt actually refer to a printer, and suddenly had an administrator window on a box the author not only wasnt supposed to have access to, but also wasnt even logged into.

The problem was a command injection attack, where user input that was meant to be data actually can be partially interpreted as a command of some sort . Often, that command can give the person with control over the data access to far more access than was ever intended.



19 Deadly Sins of Software Security. Programming Flaws and How to Fix Them
Writing Secure Code
ISBN: 71626751
EAN: 2147483647
Year: 2003
Pages: 239

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net