Variable Extraction ErrorID: 621 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: INCOMPLETE |
Abstraction Type: Base |
Description
The product uses external input to determine the names of
variables into which information is extracted, without verifying that the names
of the specified variables are valid. This could cause the program to overwrite
unintended variables.
Extended DescriptionFor example, in PHP, calling extract() or import_request_variables()
without the proper arguments could allow arbitrary global variables to be
overwritten, including superglobals. Similar functionality might be possible
in other interpreted languages, including custom languages.
Applicable PlatformsLanguage: PHP
Time Of Introduction
Common Consequences
Scope | Technical Impact | Notes |
---|
Integrity | Modify application
data | An attacker could modify sensitive data or program variables. |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
Implementation | Input Validation | Use whitelists of variable names that can be extracted. | | |
Implementation | | Consider refactoring your code to avoid extraction routines
altogether. | | |
Implementation | | In PHP, call extract() with options such as EXTR_SKIP and
EXTR_PREFIX_ALL; call import_request_variables() with a prefix argument.
Note that these capabilities are not present in all PHP versions. | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-621 ChildOf CWE-896 | Category | CWE-888 | |
Demonstrative Examples (Details)
- This code uses the credentials sent in a POST request to login a
user.
Observed Examples
- CVE-2006-7135 : extract issue enables file inclusion
- CVE-2006-7079 : extract used for register_globals compatibility layer, enables path traversal
- CVE-2007-0649 : extract() buried in include files makes post-disclosure analysis confusing; original report had seemed incorrect.
- CVE-2006-6661 : extract() enables static code injection
- CVE-2006-2828 : import_request_variables() buried in include files makes post-disclosure analysis confusing
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy MappingsNone
References:None