Cwe 78

🧬 CWE Related 120
slug: cwe-78

Explanation

CWE-78は「ユーザー入力をシェルコマンドの一部として使うとき、適切にエスケープせず、攻撃者がコマンドを追加実行できてしまう欠陥」のことです。 例えば `ping {ユーザー入力IP}` の {ユーザー入力IP} に `; rm -rf /` のような文字列を入れられると、サーバー上のファイルが削除されます。 対策は「シェル経由を避け、引数を配列として直接渡す (PHPなら escapeshellarg)」。
📌 Example
Shellshock (CVE-2014-6271): Bashの脆弱性で、Webサーバーへの普通のリクエスト経由で任意のシェルコマンドが実行できた歴史的な事件。

🔖 Related tags

🛡 Vulnerabilities tagged with this 796

ID Title
CVE-2017-1000214 GitPHP by xiphux is vulnerable to OS Command Injections
CVE-2017-16957 OS Command Injection in tp-link (CVE-2017-16957)
CVE-2017-16958 OS Command Injection in tp-link (CVE-2017-16958)
CVE-2017-16960 OS Command Injection in tp-link (CVE-2017-16960)
CVE-2017-16934 OS Command Injection in dbltek (CVE-2017-16934)
CVE-2017-16926 OS Command Injection in ohcount-project (CVE-2017-16926)
CVE-2017-16923 OS Command Injection in tenda (CVE-2017-16923)
CVE-2017-1000215 OS Command Injection in xrootd (CVE-2017-1000215)
CVE-2017-1000203 OS Command Injection in cern (CVE-2017-1000203)
CVE-2017-1000220 OS Command Injection in pidusage-project (CVE-2017-1000220)
CVE-2017-1000219 OS Command Injection in windows-cpu-project (CVE-2017-1000219)
CVE-2017-12305 Command Injection in cisco (CVE-2017-12305)
CVE-2017-12636 OS Command Injection in apache (CVE-2017-12636)
CVE-2017-1453 OS Command Injection in ibm (CVE-2017-1453)
CVE-2017-16667 OS Command Injection in backintime-project (CVE-2017-16667)
CVE-2017-16641 OS Command Injection in cacti (CVE-2017-16641)
CVE-2017-2917 OS Command Injection in meetcircle (CVE-2017-2917)
CVE-2017-2866 OS Command Injection in meetcircle (CVE-2017-2866)
CVE-2017-2890 OS Command Injection in meetcircle (CVE-2017-2890)
CVE-2017-12243 OS Command Injection in cisco (CVE-2017-12243)
CVE-2017-10953 OS Command Injection in foxitsoftware (CVE-2017-10953)
CVE-2017-9377 OS Command Injection in barco (CVE-2017-9377)
CVE-2017-15924 OS Command Injection in c (CVE-2017-15924)
CVE-2017-7341 OS Command Injection in fortinet (CVE-2017-7341)
CVE-2017-10955 OS Command Injection in emc (CVE-2017-10955)
CVE-2017-3761 OS Command Injection in lenovo (CVE-2017-3761)
CVE-2017-6223 OS Command Injection in ruckus (CVE-2017-6223)
CVE-2017-6224 OS Command Injection in ruckuswireless (CVE-2017-6224)
CVE-2017-15226 OS Command Injection in zyxel (CVE-2017-15226)
CVE-2017-1000116 OS Command Injection in mercurial (CVE-2017-1000116)

🍪 About cookies

We use cookies to keep you logged in, remember your language, and improve the service.

Details →