edit-icon download-icon

Code execution vulnerability

Last Updated: Oct 31, 2017

Note: If the affected URL contains /robots.txt/a.php, or /favicon.ico/a.php, see FastCGI analysis vulnerability.

Description

Code execution vulnerabiliy refers to a critical vulnerability in which the application does not have a security filtering policy on parameters passing in commands. As a result, malicious attackers can control the final command to be executed, and then break into the system and cause serious damage.

Impact

Attackers can exploit this vulnerability to execute arbitrary code.

Fix

Solution 1

  • Strictly control program parameters, especially for the “&”, “&&”, “|”, “||”, “eval”, and “execute” parameters.

  • Remove direct command execution functions such as “system” from the code, or prohibit passing external incoming parameter values to this type of executable function parameters.

  • If you are using a third-party program, upgrade it to the latest version.

Solution 2

Use an open source vulnerability repair plugin.

Note: This solution requires that the website administrators have programming skills and are capable of modifying server code.

Thank you! We've received your feedback.