...
Suppose a Java program wants to send email using the mail program. It might ask the user for an email address. The command might take the form:
| Code Block |
|---|
mail <ADDRESS> |
However, if an attacker supplies the following value for <ADDRESS>:
| Code Block |
|---|
noboday@nowhere.com ; useradd attacker |
the command executed is actually two commands:
| Code Block |
|---|
mail noboday@nowhere.com ; |
...
useradd attacker |
which causes a new account to be created for the attacker.
...
| Code Block | ||
|---|---|---|
| ||
String address = System.getProperty("email");
if (address == null) {
// handle error
}
Runtime runtime = Runtime.getRuntime();
Process proc = runtime.exec("mail " + address);
}
|
...
Compliant Solution (Whitelisting)
This compliant solution sanitizes the email address by permitting only a handful of correct characters to appear, thus preventing command injection.
...