[Forgot Password]
Login  Register Subscribe

30479

 
 

423868

 
 

248268

 
 

909

 
 

195051

 
 

282

 
Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Variable Extraction Error

ID: 621Date: (C)2012-05-14   (M)2022-10-10
Type: weaknessStatus: INCOMPLETE
Abstraction Type: Base





Description

The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the program to overwrite unintended variables.

Extended Description

For example, in PHP, calling extract() or import_request_variables() without the proper arguments could allow arbitrary global variables to be overwritten, including superglobals. Similar functionality might be possible in other interpreted languages, including custom languages.

Applicable Platforms
Language: PHP

Time Of Introduction

  • Implementation

Common Consequences

ScopeTechnical ImpactNotes
Integrity
 		Modify application data
 		An attacker could modify sensitive data or program variables.
 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Implementation
 		Input Validation
 		Use whitelists of variable names that can be extracted.
 		  
Implementation
 		 Consider refactoring your code to avoid extraction routines altogether.
 		  
Implementation
 		 In PHP, call extract() with options such as EXTR_SKIP and EXTR_PREFIX_ALL; call import_request_variables() with a prefix argument. Note that these capabilities are not present in all PHP versions.
 		  

Relationships

Related CWETypeViewChain
CWE-621 ChildOf CWE-896 Category CWE-888  

Demonstrative Examples   (Details)

  1. This code uses the credentials sent in a POST request to login a user.

Observed Examples

  1. CVE-2006-7135 : extract issue enables file inclusion
  2. CVE-2006-7079 : extract used for register_globals compatibility layer, enables path traversal
  3. CVE-2007-0649 : extract() buried in include files makes post-disclosure analysis confusing; original report had seemed incorrect.
  4. CVE-2006-6661 : extract() enables static code injection
  5. CVE-2006-2828 : import_request_variables() buried in include files makes post-disclosure analysis confusing

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings
None

References:
None

© SecPod Technologies