CWE - CWE-96: Insufficient Control of Directives in Statically Saved Code (Static Code Injection) (Draft 9)

Home > CWE List > CWE-96 Individual Dictionary Definition (Draft 9)

CWE List
Full Dictionary View
Classification Tree
Reports

About
Sources
Process
Documents

Community
Related Activities
Discussion List
Research

News
Calendar
Free Newsletter

Compatibility
Program
Requirements
Declarations
Make a Declaration

Contact Us
Search the Site

Section Contents
CWE List
Full Dictionary View
Classification Tree
Reports
Other Items of Interest
Sources

Key
- Weakness
- Base
- Variant
- Class
- Chain
- Composite
- Category
- View
- Deprecated

CWE-96 Individual Dictionary Definition (Draft 9)

Weakness ID

Status: Draft

96 (Weakness Base)

Description

Summary

The software allows user-controlled input to be fed directly into an output file that is later processed as code, such as a library file or template.

Weakness Ordinality

Primary (Weakness exists independent of other weaknesses)

Causal Nature

Explicit (This is an explicit weakness resulting from behavior of the developer)

Affected Resource

File/Directory

Potential Mitigations

Assume all input is malicious. Use an appropriate combination of black lists and white lists to filter code syntax from user-controlled input.

Avoid writing user-controlled input to code files.

Perform output validation to filter all code syntax from data written to non-code files.

Observed Examples

Reference	Description
CVE-2002-0495	Perl code directly injected into CGI library file from parameters to another CGI program.
CVE-2005-1876	Direct PHP code injection into supporting template file.
CVE-2005-1894	Direct code injection into PHP script that can be accessed by attacker.
CVE-2003-0395	PHP code from User-Agent HTTP header directly inserted into log file implemented as PHP script.

Context Notes

"HTML injection" (see XSS) could be thought of as an example of this, but it is executed on the client side, not the server side. Server-Side Includes (SSI) are an example of direct static code injection.

This issue is most frequently found in PHP applications that allow users to set configuration variables that are stored within executable php files. Technically, this could also be performed in some compiled code (e.g. by byte-patching an executable), although it is highly unlikely.

Relationships

Nature	Type	ID	Name
ChildOf	Weakness Class	94	Code Injection
ChildOf	Category	632	Weaknesses that Affect Files or Directories
ParentOf	Weakness Base	97	Failure to Sanitize Server-Side Includes (SSI) Within a Web Page

Source Taxonomies

PLOVER - Direct Static Code Injection

Applicable Platforms

PHP

Perl

All Interpreted Languages

Related Attack Patterns

CAPEC-ID	Attack Pattern Name
35	Leverage Executable Code in Nonexecutable Files
81	Web Logs Tampering
63	Simple Script Injection
18	Embedding Scripts in Nonscript Elements
73	User-Controlled Filename
85	Client Network Footprinting (using AJAX/XSS)
86	Embedding Script (XSS ) in HTTP Headers
77	Manipulating User-Controlled Variables

Page Last Updated: April 22, 2008


	CWE is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is hosted by The MITRE Corporation. Copyright 2008, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us