Serverside script injection?

Hi there.

I have a question regarding serverside script injection. Does it exist - is it possible?

In the past there were some vulnerabilities in serverside scripts. It was possible to execute OS-commands through URL/userinput manipulation, I assume this happened mostly with CGI and perl scripts. Was this just based on the way the variables (userinput) was used in OS commands, and if the 'user data' was able to break out the intended command?

I think it depends on the applicationserver software if 'serverside script injection' is possible or not (assuming the programmer/coder does not want any security). In my opinion most important is the way that the applicationserver handles variables. The possibility for variables to contain commands...

Is it (theoretically) possible on ASP servers to inject 'malicious' code into the webpage, so that it is processed on the serverside? Is it possible on PHP or Coldfusion?

Are there any real life examples?
(so that I can play with it in my testlab)

Thank you for all reactions!

Regards, Received on Wed Jan 15 13:34:06 2003

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek