Improper Sanitization of Directives in Statically Saved Code ('Static Code Injection')
Weakness ID: 96 (Weakness Base)Status: Draft
+ Description

Description Summary

The software receives input from an upstream component, but it does not sanitize or incorrectly sanitizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

PHP

Perl

All Interpreted Languages

+ Observed Examples
ReferenceDescription
CVE-2002-0495Perl code directly injected into CGI library file from parameters to another CGI program.
CVE-2005-1876Direct PHP code injection into supporting template file.
CVE-2005-1894Direct code injection into PHP script that can be accessed by attacker.
CVE-2003-0395PHP code from User-Agent HTTP header directly inserted into log file implemented as PHP script.
+ Potential Mitigations

Assume all input is malicious. Use an appropriate combination of black lists and white lists to filter code syntax from user-controlled input.

Avoid writing user-controlled input to code files.

Perform output validation to filter all code syntax from data written to non-code files.

+ Other Notes

"HTML injection" (see XSS) could be thought of as an example of this, but it is executed on the client side, not the server side. Server-Side Includes (SSI) are an example of direct static code injection.

This issue is most frequently found in PHP applications that allow users to set configuration variables that are stored within executable php files. Technically, this could also be performed in some compiled code (e.g. by byte-patching an executable), although it is highly unlikely.

+ Weakness Ordinalities
OrdinalityDescription
Primary
(where the weakness exists independent of other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class94Failure to Control Generation of Code ('Code Injection')
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory632Weaknesses that Affect Files or Directories
Resource-specific Weaknesses (primary)631
ParentOfWeakness BaseWeakness Base97Failure to Sanitize Server-Side Includes (SSI) Within a Web Page
Development Concepts (primary)699
Research Concepts (primary)1000
+ Affected Resources
  • File/Directory
+ Causal Nature

Explicit

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERDirect Static Code Injection
+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
35Leverage Executable Code in Nonexecutable Files
73User-Controlled Filename
77Manipulating User-Controlled Variables
85Client Network Footprinting (using AJAX/XSS)
86Embedding Script (XSS ) in HTTP Headers
18Embedding Scripts in Nonscript Elements
63Simple Script Injection
81Web Logs Tampering
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Potential Mitigations, Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Applicable Platforms, Relationships, Other Notes, Taxonomy Mappings, Weakness Ordinalities
2009-05-27CWE Content TeamMITREInternal
updated Description, Name
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Direct Static Code Injection
2009-05-27Insufficient Control of Directives in Statically Saved Code (Static Code Injection)