Tag Archives: CWE- 96

CWE-96 – Improper Neutralization of Directives in Statically Saved Code (‘Static Code Injection’)

Read Time:1 Minute, 23 Second

Description

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-94

 

Consequences

Confidentiality: Read Files or Directories, Read Application Data

The injected code could access restricted data / files.

Access Control: Bypass Protection Mechanism

In some cases, injectable code controls authentication; this may lead to a remote vulnerability.

Access Control: Gain Privileges or Assume Identity

Injected code can access resources that the attacker is directly prevented from accessing.

Integrity, Confidentiality, Availability, Other: Execute Unauthorized Code or Commands

Code injection attacks can lead to loss of data integrity in nearly all cases as the control-plane data injected is always incidental to data recall or writing. Additionally, code injection can often result in the execution of arbitrary code.

Non-Repudiation: Hide Activities

Often the actions performed by injected control code are unlogged.

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

Phase: Implementation

Effectiveness:

Description: 

Perform proper output validation and escaping to neutralize all code syntax from data written to code files.

CVE References

 

  • CVE-2002-0495
    • Perl code directly injected into CGI library file from parameters to another CGI program.
  • CVE-2005-1876
    • Direct PHP code injection into supporting template file.
  • CVE-2005-1894
    • Direct code injection into PHP script that can be accessed by attacker.
  • CVE-2003-0395
    • PHP code from User-Agent HTTP header directly inserted into log file implemented as PHP script.
  • CVE-2007-6652
    • chain: execution after redirect allows non-administrator to perform static code injection.