Over a million developers have joined DZone.

Remote Code Evaluation (Execution) Vulnerability

DZone's Guide to

Remote Code Evaluation (Execution) Vulnerability

In this article, we discuss what this vulnerability does, how attackers exploit it, and what you as a developer can do to help mitigate this vulnerability.

· Security Zone ·
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

What Is the Remote Code Evaluation Vulnerability?

Remote Code Evaluation is a vulnerability that can be exploited if the user input is injected into a File or a String and executed (evaluated) by the programming language's parser. Usually, this behavior is not intended by the developer of the web application. A Remote Code Evaluation can lead to a full compromise of the vulnerable web application and also a web server. It is important to note that almost every programming language has code evaluation functions.

Remote Code Evaluation Explanation and Example

A code evaluation can occur if you allow user input inside functions that are evaluating code in the respective programming language. This can be implemented on purpose, for example, to access mathematical functions of the programming language to create a calculator, or accidentally because user-controlled input is not expected from the developer inside those functions. It is generally not advised to do so. In fact, it is considered to be a bad practice to use code evaluation.

Example of Code Evaluation Exploitation

You want to have dynamically generated variable names for every user and store its registration date. This is how it could be done in PHP:

eval("\$$user = '$regdate');

Since the username is generally user-controlled input an attacker can generate a name like this:

x = 'y';phpinfo();// 

The resulting PHP code would now look like this:

$x = 'y';phpinfo();// = '2016'; 

As you can see, the variable is now called x and has the value y. After the attacker was able to assign that value to the variable they are able to start a new command by using the semicolon (;). He can now comment out the rest of the string, so he doesn't get syntax errors. If he executes this code the output of phpinfo will appear on the page. You should keep in mind that this is not only possible in PHP but also in any other language with functions that evaluate input.

Stored Remote Code Evaluation Explanation and Example

Unlike the above example, this method does not rely on any specific language function, but on the fact that specific files are parsed by the language's interpreter. An example for this would be a configuration file that is included in a web application. Ideally, you should avoid using user input inside files that are executed by an interpreter as this can lead to unwanted and dangerous behavior. This kind of exploit technique is often seen in combination with an upload functionality that does not do the sufficient checks on file types and extensions.

Example of Stored Code Evaluation Exploitation

You develop a web application that has a control panel for every user. The control panel has some user-specific settings such as the language variable, that is set depending on a parameter and then stored inside a configuration file. An expected input could be like this:


The above will then be reflected as $lan = 'de'; inside the configuration file. Though an attacker could now change the language parameter to something like:


The above would result in the following code inside the file:

$lan = 'de';phpinfo()//'; 

And the above will be executed when the configuration file is included in the web application, basically allowing the attackers to execute any command they want.

Impacts of the Remote Code Evaluation Vulnerability

An attacker who is able to execute such a flaw is usually able to execute commands with the privileges of the programming language or the web server. In many languages, attackers can issue system commands, write, delete, or read files, or connect to databases.

How to Prevent Remote Code Evaluation

As a rule of thumb, you should avoid using user input inside the evaluated code. The best option would be to not use functions such as eval at all. It is considered to be a bad practice and can more often than not be completely avoided. You should also never let a user edit the content of files that might be parsed by the respective languages. That includes not letting a user decide the name and extensions of files he or she might upload or create in the web application.

What You Should NOT Do to Prevent Remote Code Evaluation

  • Sanitize user input; this is, most of the time, not possible due to the large number of possible bypasses of restrictions.
  • Let a user decide the extension or content of files on the web server and use safe practices for secure file uploads.
  • Pass any user-controlled input inside evaluation functions or callbacks.
  • Try to blacklist special chars or function names. Just like sanitizing, this is almost impossible to safely implement.

Vulnerability Classification and Severity Table

Classification ID / Severity
PCI v3.1 6.5.1
PCI v3.2 6.5.1
CWE 95
OWASP 2013 A1
HIPAA 164.306(a), 164.308(a)
Netsparker High

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

remote code execution ,remote code evaluation ,web application vulnerability ,security ,web application security

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}