Invicti identified a Blind Command Injection, which occurs when input data is interpreted as an operating system command.
It is a highly critical issue and should be addressed as soon as possible.
In this case, command injection was not obvious, but the different response times from the page based on the injection test allowed Invicti to identify and confirm the command injection.
- See the remedy for solution.
- If possible, do not invoke system commands from the application.
- Find all instances of similar code and make the code changes outlined in the remedy section.