Description
The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. “eval”).
This may allow an attacker to execute arbitrary code, or at least modify what code can be executed.
Modes of Introduction:
– Architecture and Design
Likelihood of Exploit: Medium
Related Weaknesses
Consequences
Confidentiality: Read Files or Directories, Read Application Data
The injected code could access restricted data / files.
Access Control: Bypass Protection Mechanism
In some cases, injectable code controls authentication; this may lead to a remote vulnerability.
Access Control: Gain Privileges or Assume Identity
Injected code can access resources that the attacker is directly prevented from accessing.
Integrity, Confidentiality, Availability, Other: Execute Unauthorized Code or Commands
Code injection attacks can lead to loss of data integrity in nearly all cases as the control-plane data injected is always incidental to data recall or writing. Additionally, code injection can often result in the execution of arbitrary code.
Non-Repudiation: Hide Activities
Often the actions performed by injected control code are unlogged.
Potential Mitigations
Phase: Architecture and Design, Implementation
Effectiveness:
Description:
If possible, refactor your code so that it does not need to use eval() at all.
Phase: Implementation
Effectiveness:
Description:
Phase: Implementation
Effectiveness:
Description:
CVE References
- CVE-2008-5071
- Eval injection in PHP program.
- CVE-2002-1750
- Eval injection in Perl program.
- CVE-2008-5305
- Eval injection in Perl program using an ID that should only contain hyphens and numbers.
- CVE-2002-1752
- Direct code injection into Perl eval function.
- CVE-2002-1753
- Eval injection in Perl program.
- CVE-2005-1527
- Direct code injection into Perl eval function.
- CVE-2005-2837
- Direct code injection into Perl eval function.
- CVE-2005-1921
- MFV. code injection into PHP eval statement using nested constructs that should not be nested.
- CVE-2005-2498
- MFV. code injection into PHP eval statement using nested constructs that should not be nested.
- CVE-2005-3302
- Code injection into Python eval statement from a field in a formatted file.
- CVE-2007-1253
- Eval injection in Python program.
- CVE-2001-1471
- chain: Resultant eval injection. An invalid value prevents initialization of variables, which can be modified by attacker and later injected into PHP eval statement.
- CVE-2007-2713
- Chain: Execution after redirect triggers eval injection.