Tag Archives: CWE- 95

CWE-95 – Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)

Read Time:1 Minute, 57 Second

Description

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. “eval”).

This may allow an attacker to execute arbitrary code, or at least modify what code can be executed.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-94

 

Consequences

Confidentiality: Read Files or Directories, Read Application Data

The injected code could access restricted data / files.

Access Control: Bypass Protection Mechanism

In some cases, injectable code controls authentication; this may lead to a remote vulnerability.

Access Control: Gain Privileges or Assume Identity

Injected code can access resources that the attacker is directly prevented from accessing.

Integrity, Confidentiality, Availability, Other: Execute Unauthorized Code or Commands

Code injection attacks can lead to loss of data integrity in nearly all cases as the control-plane data injected is always incidental to data recall or writing. Additionally, code injection can often result in the execution of arbitrary code.

Non-Repudiation: Hide Activities

Often the actions performed by injected control code are unlogged.

 

Potential Mitigations

Phase: Architecture and Design, Implementation

Effectiveness:

Description: 

If possible, refactor your code so that it does not need to use eval() at all.

Phase: Implementation

Effectiveness:

Description: 

Phase: Implementation

Effectiveness:

Description: 

CVE References

 

  • CVE-2008-5305
    • Eval injection in Perl program using an ID that should only contain hyphens and numbers.
  • CVE-2005-1921
    • MFV. code injection into PHP eval statement using nested constructs that should not be nested.
  • CVE-2005-2498
    • MFV. code injection into PHP eval statement using nested constructs that should not be nested.
  • CVE-2005-3302
    • Code injection into Python eval statement from a field in a formatted file.
  • CVE-2001-1471
    • chain: Resultant eval injection. An invalid value prevents initialization of variables, which can be modified by attacker and later injected into PHP eval statement.
  • CVE-2007-2713
    • Chain: Execution after redirect triggers eval injection.