CWE
Home > CWE List > CWE- Individual Dictionary Definition (1.6)  

CWE-96: Improper Sanitization of Directives in Statically Saved Code ('Static Code Injection')

 
Improper Sanitization of Directives in Statically Saved Code ('Static Code Injection')
Weakness ID: 96 (Weakness Base)Status: Draft
+ Description

Description Summary

The software receives input from an upstream component, but it does not sanitize or incorrectly sanitizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

PHP

Perl

All Interpreted Languages

+ Observed Examples
ReferenceDescription
CVE-2002-0495Perl code directly injected into CGI library file from parameters to another CGI program.
CVE-2005-1876Direct PHP code injection into supporting template file.
CVE-2005-1894Direct code injection into PHP script that can be accessed by attacker.
CVE-2003-0395PHP code from User-Agent HTTP header directly inserted into log file implemented as PHP script.
+ Potential Mitigations
PhaseDescription

Assume all input is malicious. Use an appropriate combination of black lists and white lists to filter code syntax from user-controlled input.

Avoid writing user-controlled input to code files.

Perform output validation to filter all code syntax from data written to non-code files.

+ Other Notes

"HTML injection" (see XSS) could be thought of as an example of this, but it is executed on the client side, not the server side. Server-Side Includes (SSI) are an example of direct static code injection.

This issue is most frequently found in PHP applications that allow users to set configuration variables that are stored within executable php files. Technically, this could also be performed in some compiled code (e.g. by byte-patching an executable), although it is highly unlikely.

+ Weakness Ordinalities
OrdinalityDescription
Primary
(where the weakness exists independent of other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class94Failure to Control Generation of Code ('Code Injection')
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory632Weaknesses that Affect Files or Directories
Resource-specific Weaknesses (primary)631
ParentOfWeakness BaseWeakness Base97Failure to Sanitize Server-Side Includes (SSI) Within a Web Page
Development Concepts (primary)699
Research Concepts (primary)1000
+ Affected Resources
  • File/Directory
+ Causal Nature

Explicit

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERDirect Static Code Injection
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Potential Mitigations, Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Applicable Platforms, Relationships, Other Notes, Taxonomy Mappings, Weakness Ordinalities
2009-05-27CWE Content TeamMITREInternal
updated Description, Name
Back to top
Page Last Updated: October 29, 2009
 

CWE is a Software Assurance strategic initiative sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

This Web site is hosted by The MITRE Corporation.
Copyright 2009, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation.

Contact cwe@mitre.org for more information.
Privacy policy
Terms of use
Contact us