What can command injection attack do
Simply anything that can be achieved programmatically.
Finding command injection vulnerabilities in Kentico CMS
There is no direct procedure to find code injection, but here are some tips for discovering possibly vulnerable places in Kentico CMS:
- Search for ProcessStartInfo in source code and check its input parameters.
- Analyze the virtual path provider module and search for any possibility of getting a file which is not a regular Kentico CMS virtual file.
- Try to edit a transformation without administrator privileges.
- Search for usages of the LoadControl() method and check the input of the method.
Avoiding command injection
You will probably never have to deal with this issue because code injection only poses a threat in the special cases described at the beginning of this chapter. Nevertheless, the general recommendations are:
- Never load controls dynamically when their path is taken from an external source.
- Do not ever use ProcessStartInfo and other classes which execute commands or run .NET code.
- If you want to customize the virtual path provider or transformation management, be very careful.