Variable Extraction Error
|ID: 621||Date: (C)2012-05-14 (M)2012-11-08|
|Type: weakness||Status: INCOMPLETE|
|Abstraction Type: Base|
The product uses external input to determine the names of
variables into which information is extracted, without verifying that the names
of the specified variables are valid. This could cause the program to overwrite
Extended DescriptionFor example, in PHP, calling extract() or import_request_variables()
without the proper arguments could allow arbitrary global variables to be
overwritten, including superglobals. Similar functionality might be possible
in other interpreted languages, including custom languages.
Applicable PlatformsLanguage: PHP
Time Of Introduction
|Integrity ||Modify application
data ||An attacker could modify sensitive data or program variables. |
|Implementation ||Input Validation ||Use whitelists of variable names that can be extracted. || || |
|Implementation || ||Consider refactoring your code to avoid extraction routines
altogether. || || |
|Implementation || ||In PHP, call extract() with options such as EXTR_SKIP and
EXTR_PREFIX_ALL; call import_request_variables() with a prefix argument.
Note that these capabilities are not present in all PHP versions. || || |
|CWE-621 ChildOf CWE-896 ||Category ||CWE-888 || |
Demonstrative Examples (Details)
- This code uses the credentials sent in a POST request to login a
- CVE-2006-7135 : extract issue enables file inclusion
- CVE-2006-7079 : extract used for register_globals compatibility layer, enables path traversal
- CVE-2007-0649 : extract() buried in include files makes post-disclosure analysis confusing; original report had seemed incorrect.
- CVE-2006-6661 : extract() enables static code injection
- CVE-2006-2828 : import_request_variables() buried in include files makes post-disclosure analysis confusing
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None