Improper Sanitization of Directives in Statically Saved Code ('Static Code Injection') |
Weakness ID: 96 (Weakness Base) | Status: Draft |
Description Summary
Reference | Description |
---|---|
CVE-2002-0495 | Perl code directly injected into CGI library file from parameters to another CGI program. |
CVE-2005-1876 | Direct PHP code injection into supporting template file. |
CVE-2005-1894 | Direct code injection into PHP script that can be accessed by attacker. |
CVE-2003-0395 | PHP code from User-Agent HTTP header directly inserted into log file implemented as PHP script. |
Assume all input is malicious. Use an appropriate combination of black lists and white lists to filter code syntax from user-controlled input. |
Avoid writing user-controlled input to code files. |
Perform output validation to filter all code syntax from data written to non-code files. |
"HTML injection" (see XSS) could be thought of as an example of this, but it is executed on the client side, not the server side. Server-Side Includes (SSI) are an example of direct static code injection. This issue is most frequently found in PHP applications that allow users to set configuration variables that are stored within executable php files. Technically, this could also be performed in some compiled code (e.g. by byte-patching an executable), although it is highly unlikely. |
Ordinality | Description |
---|---|
Primary | (where the weakness exists independent of other weaknesses) |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Weakness Class | 94 | Failure to Control Generation of Code ('Code Injection') | Development Concepts (primary)699 Research Concepts (primary)1000 |
ChildOf | Category | 632 | Weaknesses that Affect Files or Directories | Resource-specific Weaknesses (primary)631 |
ParentOf | Weakness Base | 97 | Failure to Sanitize Server-Side Includes (SSI) Within a Web Page | Development Concepts (primary)699 Research Concepts (primary)1000 |
CAPEC-ID | Attack Pattern Name | (CAPEC Version: 1.4) |
---|---|---|
35 | Leverage Executable Code in Nonexecutable Files | |
73 | User-Controlled Filename | |
77 | Manipulating User-Controlled Variables | |
85 | Client Network Footprinting (using AJAX/XSS) | |
86 | Embedding Script (XSS ) in HTTP Headers | |
18 | Embedding Scripts in Nonscript Elements | |
63 | Simple Script Injection | |
81 | Web Logs Tampering |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
PLOVER | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Potential Mitigations, Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Applicable Platforms, Relationships, Other Notes, Taxonomy Mappings, Weakness Ordinalities | ||||
2009-05-27 | CWE Content Team | MITRE | Internal | |
updated Description, Name | ||||
Previous Entry Names | ||||
Change Date | Previous Entry Name | |||
2008-04-11 | Direct Static Code Injection | |||
2009-05-27 | Insufficient Control of Directives in Statically Saved Code (Static Code Injection) | |||