[Forgot Password]
Login  Register Subscribe

23631

 
 

115038

 
 

96174

 
 

909

 
 

78077

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Variable Extraction Error

ID: 621Date: (C)2012-05-14   (M)2012-11-08
Type: weaknessStatus: INCOMPLETE
Abstraction Type: Base





Description

The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the program to overwrite unintended variables.

Extended Description

For example, in PHP, calling extract() or import_request_variables() without the proper arguments could allow arbitrary global variables to be overwritten, including superglobals. Similar functionality might be possible in other interpreted languages, including custom languages.

Applicable Platforms
Language: PHP

Time Of Introduction

  • Implementation

Common Consequences

ScopeTechnical ImpactNotes
Integrity
 
Modify application data
 
An attacker could modify sensitive data or program variables.
 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Implementation
 
Input Validation
 
Use whitelists of variable names that can be extracted.
 
  
Implementation
 
 Consider refactoring your code to avoid extraction routines altogether.
 
  
Implementation
 
 In PHP, call extract() with options such as EXTR_SKIP and EXTR_PREFIX_ALL; call import_request_variables() with a prefix argument. Note that these capabilities are not present in all PHP versions.
 
  

Relationships

Related CWETypeViewChain
CWE-621 ChildOf CWE-896 Category CWE-888  

Demonstrative Examples   (Details)

  1. This code uses the credentials sent in a POST request to login a user.

Observed Examples

  1. CVE-2006-7135 : extract issue enables file inclusion
  2. CVE-2006-7079 : extract used for register_globals compatibility layer, enables path traversal
  3. CVE-2007-0649 : extract() buried in include files makes post-disclosure analysis confusing; original report had seemed incorrect.
  4. CVE-2006-6661 : extract() enables static code injection
  5. CVE-2006-2828 : import_request_variables() buried in include files makes post-disclosure analysis confusing

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings
None

References:
None

© 2013 SecPod Technologies