...
A weakness in a privileged program caused by relying on untrusted sources such as system properties or the environment (see rule ENV06IDS23-J . Provide a trusted environment and sanitize all inputsSanitize all data passed in through environment variables and non-default properties) can result in the execution of a command or of a program that has privileges beyond those possessed by a typical user.
...
Because Runtime.exec() receives unsanitized data originating from the environment (see rule ENV06IDS23-J . Provide a trusted environment and sanitize all inputsSanitize all data passed in through environment variables and non-default properties), this code is susceptible to a command injection attack.
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="1bb820fca2925919-684610e1-4f804481-9707b686-98c7b1efc7b54e9bfd190aa8"><ac:plain-text-body><![CDATA[ | [CVE-2010-0886] | [Sun Java Web Start Plugin Command Line Argument Injection | http://www.securitytube.net/video/1465] | ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="2eb3881df18113ce-13597677-4ae744ff-99a68686-e9d8053e873e04e2d2b35c3e"><ac:plain-text-body><![CDATA[ | [CVE-2010-1826] | [Command injection in updateSharingD's handling of Mach RPC messages | http://securitytracker.com/id/1024617] | ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f27f34503afb70ec-2beea984-40b54d0e-8b3fae1e-df351b9af71e94d7e7777349"><ac:plain-text-body><![CDATA[ | [T-472] | [Mac OS X Java Command Injection Flaw in updateSharingD Lets Local Users Gain Elevated Privileges | http://www.doecirc.energy.gov/bulletins/t-472.shtml] | ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="ac5a913dd8aaf56f-7801c7b8-4a164edc-8259b4dd-b6c6979c0bd538234f6e9ab6"><ac:plain-text-body><![CDATA[ | [[MITRE 2009 | AA. Bibliography#MITRE 09]] | [CWE ID 78 | http://cwe.mitre.org/data/definitions/78.html] "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" | ]]></ac:plain-text-body></ac:structured-macro> |
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f02132c7df122399-cfc4749e-41c847a5-a911a30f-dcbd2af4fe786592ecadb4ad"><ac:plain-text-body><![CDATA[ | [[Chess 2007 | AA. Bibliography#Chess 07]] | Chapter 5: Handling Input, "Command Injection"]]></ac:plain-text-body></ac:structured-macro> | ||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b3eafc8f15ad9011-39ad0f13-447047be-b8e48793-f4a6b6ebd7ba99917b2c1b6c"><ac:plain-text-body><![CDATA[ | [[OWASP 2005 | AA. Bibliography#OWASP 05]] | [Reviewing Code for OS Injection | http://www.owasp.org/index.php/Reviewing_Code_for_OS_Injection] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="df623df0afb8fb8f-19022d70-4cc3426b-a9319eca-21a073f7c04243ab9e29783b"><ac:plain-text-body><![CDATA[ | [[Permissions 2008 | AA. Bibliography#Permissions 08]] | [Permissions in the Java™ SE 6 Development Kit (JDK) | http://java.sun.com/javase/6/docs/technotes/guides/security/permissions.html], Sun Microsystems, Inc. (2008) | ]]></ac:plain-text-body></ac:structured-macro> |
...