A command injection vulnerability exists when user supplied input is not validated correctly by the web application. The following snippet shows PHP code which is vulnerable to command injection.
In the case of the vulnerable code above, the attacker could escape the ping command by adding a semicolon to the command and executing arbitrary other system commands. Example input:
; cat /etc/passwd
In order to secure your web application from command injection,
validate the users input and only allow commands that are needed for the task. You can also sanitizise the users input by removing characters like
; and other shell escapes like
&, &&, |, ||, <.
For more information visit https://crashtest-security.com