all InfoSec news
VU#123335: Multiple Programming Languages Fail to Escape Arguments Properly in Microsoft Windows
CERT Recently Published Vulnerability Notes kb.cert.org
Overview
Various programming languages lack proper validation mechanisms for commands and in some cases also fail to escape arguments correctly when invoking commands within a Microsoft Windows environment. The command injection vulnerability in these programming languages, when running on Windows, allows attackers to execute arbitrary code disguised as arguments to the command. This vulnerability may also affect the application that executes commands without specifying the file extension.
Description
Programming languages typically provide a way to execute commands (for e.g., os/exec …
arbitrary code attackers cases code command command injection disguised environment escape fail injection languages microsoft microsoft windows programming running validation vulnerability windows