Documentation - V-222604

V-222604

Application Security and Development Security Technical Implementation Guide

CAT I

Title

The application must protect from command injection.

Description

<VulnDiscussion>A command injection attack is an attack on a vulnerable application where improperly validated input is passed to a command shell setup in the application. The result is the ability of an attacker to execute OS commands via the application. A command injection allows an attacker to execute their own commands with the same privileges as the application executing. The following is an example of a URL based command injection attack. Before alteration: http://sitename/cgi-bin/user...

Fix Text (Documentation Requirement)

Modify the application so as to escape/sanitize special character input or configure the system to protect against command injection attacks based on application architecture.

View Full STIG Details →

Documentation Status

Status

Documented Verified - link to a ship document Awaiting Review Evidence submitted, needs verification Pending Needs documentation Not Required Documentation not needed Not Applicable STIG doesn't apply

Notes (Optional)

Cancel