Code and content manipulation


Home > Cyber Security Solutions > Various-Security-Offerings > Penetration Test > Specialized Pen Testing > Web Portals > Code and content manipulation

Code injection vulnerabilities occur where the output or content served from a Web application can be manipulated in such a way that it triggers server-side code execution. In some poorly written Web applications that allow users to modify server-side files (such as by posting to a message board or guestbook) it is sometimes possible to inject code in the scripting language of the application itself.
It is possible to read the source code of this script by using script filename as a parameter. It seems that this script includes a file which name is determined using user-supplied data. This data is not properly validated before being passed to the include function.

Impact

A malicious user may execute arbitrary system commands with the permissions of the web server
An attacker can gather sensitive information (database connection strings, application logic) by analysing the source code. This information can be used to launch further attacks.

Recommendation By Valency Networks, Pune, India :

Your script should filter metacharacters from user input.
Analyse the source code of this script and solve the problem.