Input Validation / Unidentified Code Injection
This type of vulnerability can lead to serious security issues, such as data theft and the execution of malicious code. If the vulnerability is exploited, it can lead to a variety of different malicious activities, such as data theft, denial of service attacks, or even the unauthorized execution of malicious code. Furthermore, as attackers can inject code into the application, they can potentially gain access to sensitive information or even gain control of the system.
The first step in preventing this type of vulnerability is to ensure that all user input is properly validated. This can be done by using a whitelist of acceptable character sets, as well as using a combination of client-side and server-side validation. Additionally, input should also be sanitized before being sent to the web server or database. All output should also be properly encoded and escaped to prevent malicious code from being executed.
The following code example shows how a simple code injection can be exploited (CVE-2018-8421):
<?php $user_input = $_GET['user_input']; eval($user_input); ?>
In this example, the application is vulnerable to code injection as it fails to validate user input before sending it to the web server or database. As a result, attackers can inject arbitrary code into the application, potentially allowing them to take control of the system or access confidential data.