From the mailinglist reported by Mitchell Fisher:
At Bruce's suggestion, here is another.
I couldn't get the Command Injection solution to work on Windows in WebGoat 6.0.1, Build: 247. The & separator between Windows command line commands is also the parameter separator in the POST data, and messed up the parameter parsing?
I was able to do the attack by using the || separator, which on Windows means that if the first command fails, execute the second command. So I misspelled the file name to type and followed it with my added command, and only one command:
HelpFile=AccessControlMatrixXX.help" || netstat -an&SUBMIT=View
Which returned the result of netstat to my screen but did not give me credit
Perhaps the test in the exec() methods could be changed from:
if ((command.indexOf("&") != -1 || command.indexOf(";") != -1) && !er.getError())
if ((command.indexOf("netstat") != -1) && !er.getError())