Authorization / Use of Potentially Dangerous Function
Use of Potentially Dangerous Function (CWE-602) is a vulnerability that occurs when an application allows an attacker to use a potentially dangerous function, such as system() or exec(), which allows them to execute arbitrary code. This vulnerability is classified in the Authorization category of the Common Weakness Enumeration (CWE) directory and is found in Web and API applications (OWASP Testing Guide). This vulnerability can allow attackers to access sensitive information or bypass authentication.
This vulnerability can result in the compromise of sensitive information, authentication bypass, or the execution of malicious code. The risk is high due to the potential for attackers to gain access to resources that they should not be allowed to access.
The best way to mitigate this vulnerability is to avoid using potentially dangerous functions such as system() or exec(). If the application requires the use of such functions, it is important to validate all inputs and use proper input sanitation techniques. Additionally, the application should not run with elevated privileges, and it should be configured to limit the ability of an attacker to execute arbitrary code.
The following code allows an attacker to execute arbitrary code:
<?php $cmd = $_GET['cmd']; system($cmd); ?>