Command injection vulnerabilities take two forms: - An attacker can change the command that the program executes: the attacker explicitly controls what the command is. - An attacker can change the environment in which the command executes: the attacker implicitly controls what the command means. In this case we are primarily concerned with the second scenario, the possibility that an attacker may be able to change the meaning of the command by changing an environment variable or by putting a malicious executable early in the search path.
1.Applications should avoid incorporating user-controllable data into operating system commands.
2.Use library calls rather than external processes to recreate the desired functionality. 3.Ensure that all external commands called from the program are statically created For more information refer : https://www.owasp.org/index.php/Testing_for_Command_Injection_(OTG-INPVAL-013)
ex : $output = shell_exec($cmd);
shell_exec() function used in multiple places.
Example code path : vendor/laminas/laminas-console/src/Adapter/Virtual.php (Line: 171)
protected function switchToUtf8()
{ shell_exec('mode con cp select=65001'); }
and few other vendor files.
CWE Code : CWE-77