A command injection is an exploit of a system weakness to gain access to the system for the purpose of executing malicious code, harvesting user data, and engaging in other activities. While there is a potential for a command injection to be benign in nature, usually it is not, and it can present a significant security threat. There are a number of workarounds designed to prevent this activity in computer systems.
One of the most common points of vulnerability for a command injection is a form, either on a web page or in a computer system. Forms allow people to input data and are then processed by the system. If there are no constraints on the type of data entered into the form, it is possible for people to input computer code that the system will read and execute. Forms on webpages may also convert the input to display to other users, exposing other people to code as well; for example, someone could leave a malicious script in the comments on a website.
When the code executes, it may do things like providing people with access to the backend of a computer system, including administrative access, and could also plant viruses and malware on a computer system. Command injections may be designed to spread themselves, as infected computers interact with uninfected computers over a network. They can spread very rapidly and may cause substantial damage along the way.
One way to avoid a command injection is to design forms and other inputs in a way designed to restrict what people can enter. On Internet comments, for example, there would likely be no legitimate reason for users to enter scripts, and the comment form could simply reject script, while still allowing HTML for markup and styling. Likewise, in a computer program, the input forms could refuse inputs of certain characters, preventing people from executing code in the form.
The potential risk presented by the command injection was first noted in the 1990s. Numerous designers have tackled the problem and come up with various ways to prevent or stop command injection attacks. Hackers have also attempted to develop their own workarounds, developing new and creative ways to execute code through weak points in a computer system. Some people develop new techniques out of purely academic interest and occasionally wreak havoc by accident when their research escapes into the wild, so to speak.