[VIM] WebMplayer "eval injection" is actually OS command injection

Steven M. Christey coley at mitre.org
Tue Feb 27 12:08:59 EST 2007

Ref: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=486880&group_id=172354

The statement "index.php: Bugfix: $val must be numeric, so no other
can be commands inserted" has apparently been interpreted as eval
injection by some sources (and a "param" parameter), but a code review
for index.php in 0.6alpha shows:

  while(list($param) = each($_GET)){
	if(isset($_GET[$param])){$val = $_GET[$param];}
	if (!empty($val)){ 
		exec($aumix." -".$param." ".$val);

$aumix is an executable.

The "empty($val)" statement was fixed to:

	if (!empty($val) && is_numeric($val)){ 


1) This is "OS Command Injection" by shell metacharacters in the
   exec(), with no escapeshellarg/escapeshellcmd.

2) "param" is not a parameter name at all, except the code seems to
   allow arbitrarily-named parameters, so maybe "param" would actually

- Steve

More information about the VIM mailing list