A key tenet of secure programming is to never reference user input and print it without a scan and replacement of key metacharacters.
In the early days of web programming, it wasn’t uncommon to use a scripting language to process data from a web page and to assume user input was simply text. Hackers discovered that properly formatted strings with back ticks could be input and would be executed on the host serving the web page.
As an example, a field might ask for my name so I would type
john ‘ls’ smith
and if the server script went to print my name back to me on the web page refresh then I might see a listing of files and directories on the web server.
Why? Because the backtick is recognized by the server script as a request to execute the ls command before it prints the string. It was a great feature to get current date and time using unix commands when the scripting language didn’t have function calls for date and time.
other types of commands could be further used to find and access a database, make it available to anyone…. And extract its data.
The solution has been to first scan the user input and replace characters like the backtick with a quoted backtick or to remove the backtick or to reject the user name and have the user retype it.
in log4j the developers added a feature to get system info when a logging message is printed. The info could be useful to web admins diagnosing system issues with a running web app. However, the app programmer didn’t properly scan user input and instead decided to just print it to the app log then a knowledgeable hacker could insert some properly formatted string to do damage to the web server.
Sophos wrote up a great description with examples:
https://nakedsecurity.sophos.com/20...works-why-you-need-to-know-and-how-to-fix-it/
Don’t be that guy using it for nefarious purposes, be the guy that finds and fixes their web applications to not do these bad things with user input.
