PHP Snippet #07
Bookmarked!This challenge covers the review of a snippet of code written in PHP
The Code Review Snippet challenge gives you a snippet of PHP code that contains a security vulnerability. The task is to find the issue without watching the video initially. The provided code checks if the $_GET["count"]
parameter is set and falls within a specified range before using it in a system command to ping pentesterlab.com
. However, this code is vulnerable to command execution attacks because it does not verify whether $_GET["count"]
is an integer.
In the video, the vulnerability is explained in detail. The code checks if $_GET["count"]
is greater than zero and less than or equal to four, but it does not ensure that it is an integer. As a result, a malicious user can inject additional commands by including a semicolon in the count
parameter. For example, a value of 1;touch /tmp/command_execution
would be cast to 1
for the comparisons but would execute the additional touch
command when concatenated to the ping command, resulting in unintended command execution.