Incomplete Identification of Uploaded File Variables (PHP)ID: 616 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: INCOMPLETE |
Abstraction Type: Variant |
Description
The PHP application uses an old method for processing uploaded
files by referencing the four global variables that are set for each file (e.g.
$varname, $varname_size, $varname_name, $varname_type). These variables could be
overwritten by attackers, causing the application to process unauthorized
files.
Extended DescriptionThese global variables could be overwritten by POST requests, cookies, or
other methods of populating or overwriting these variables. This could be
used to read or process arbitrary files by providing values such as
"/etc/passwd".
Applicable PlatformsLanguage: PHP
Time Of Introduction
Common Consequences
Scope | Technical Impact | Notes |
---|
ConfidentialityIntegrity | Read files or
directoriesModify files or
directories | |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
Architecture and Design | | Use PHP 4 or later. | | |
Architecture and Design | | If you must support older PHP versions, write your own version of
is_uploaded_file() and run it against
$HTTP_POST_FILES['userfile'])) | | |
Implementation | | For later PHP versions, reference uploaded files using the
$HTTP_POST_FILES or $_FILES variables, and use is_uploaded_file() or
move_uploaded_file() to ensure that you are dealing with an uploaded
file. | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-616 ChildOf CWE-896 | Category | CWE-888 | |
Demonstrative Examples (Details)
- "The global $_FILES exists as of PHP 4.1.0 (Use $HTTP_POST_FILES
instead if using an earlier version). These arrays will contain all the
uploaded file information."
- As of 2006, the "four globals" method is probably in sharp decline,
but older PHP applications could have this issue.
Observed Examples
- CVE-2002-1460 : Forum does not properly verify whether a file was uploaded or if the associated variables were set by POST, allowing remote attackers to read arbitrary files.
- CVE-2002-1759 : Product doesn't check if the variables for an upload were set by uploading the file, or other methods such as $_POST.
- CVE-2002-1710 : Product does not distinguish uploaded file from other files.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
PLOVER | | Incomplete Identification of Uploaded File Variables
(PHP) | |
References:
- Shaun Clowes .A Study in Scarlet - section 5, "File Upload".