Home / Vulnerability Database / ABAP : Command injection
ABAP
ABAP : Command injection
Classification
OWASP Top 10 2013
OWASP Top 10 2017
OWASP Top 10 2021
OWASP ASVS
PCI DSS 4.0
CWE/SANS Top 25 2011
Overview
Executing commands obtained from data from an untrusted source is insecure.
Running commands without setting precise absolute path allow an attacker to execute malicious code, changing the value of $PATH or other environment parameters.
Vulnerabilities such as command injection are divided into two categories:
- The attacker modifies the command itself;
- The attacker replaces the value of environment variables, implicitly changing the semantics of the command being executed.
In the given case, the application is prone to a first type of vulnerability.
Possible attack scenario:
- The application receives input data from an untrusted source, for example, data is entered by the user.
- The data obtained is used as a part of the line that defines the command.
- The command execution gives the attacker the rights that he did not previously possess.
References
- OWASP Top 10 2017-A1-Injection
- OWASP Top 10 2013-A1-Injection
- OWASP: Command Injection
- A word about CALL ‘SYSTEM’
- CWE-73: External Control of File Name or Path
- CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’)
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
- CWE CATEGORY: OWASP Top Ten 2017 Category A1 - Injection
MEDIUM
DerScanner Severity Score
Do you want to fix ABAP : Command injection in your application?
See also
ABAP
ABAP : Insufficient authorization check
ABAP
ABAP : Empty password
ABAP