URL: http://192.168.178.80:8000/admin/runCommand
Path: /admin/runCommand
Hostname: 192.168.178.80
Port: 8000
Vulnerable Parameter: command
CWE: 78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'))
Category: Command or Argument Injection
Plugin: Command or Argument Injection
Severity: 5
Attack Vector: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
It is possible to execute arbitrary OS commands at http://192.168.178.80:8000/admin/runCommand by injecting sleep 10 into the command parameter. OS command injection attacks are exploited by using shell meta characters to escape, or break out of, the hardcoded command and issue additional commands on the system. Do not allow the end user to submit data which will be used in constructing OS commands to be executed. If it is necessary to use user input, properly escape shell meta characters before including the input in operating system commands. Most APIs that execute system commands also have a "safe" version of the method that takes an array of strings as input rather than a single string, which protects against some forms of command injection. CWE OWASP WASC
Don't know how to fix this? Don't know why this was reported?
Get Assistance from Veracode
URL: http://192.168.178.80:8000/admin/runCommand
Path: /admin/runCommand
Hostname: 192.168.178.80
Port: 8000
Vulnerable Parameter: command
CWE: 78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'))
Category: Command or Argument Injection
Plugin: Command or Argument Injection
Severity: 5
Attack Vector: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
It is possible to execute arbitrary OS commands at http://192.168.178.80:8000/admin/runCommand by injecting sleep 10 into the command parameter. OS command injection attacks are exploited by using shell meta characters to escape, or break out of, the hardcoded command and issue additional commands on the system. Do not allow the end user to submit data which will be used in constructing OS commands to be executed. If it is necessary to use user input, properly escape shell meta characters before including the input in operating system commands. Most APIs that execute system commands also have a "safe" version of the method that takes an array of strings as input rather than a single string, which protects against some forms of command injection. CWE OWASP WASC
Don't know how to fix this? Don't know why this was reported?
Get Assistance from Veracode