[Forgot Password]
Login  Register Subscribe

23631

 
 

115038

 
 

96174

 
 

909

 
 

78077

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Dynamic Variable Evaluation

ID: 627Date: (C)2012-05-14   (M)2012-11-08
Type: weaknessStatus: INCOMPLETE
Abstraction Type: Base





Description

In a language where the user can influence the name of a variable at runtime, if the variable names are not controlled, an attacker can read or write to arbitrary variables, or access arbitrary functions.

Extended Description

The resultant vulnerabilities depend on the behavior of the application, both at the crossover point and in any control/data flow that is reachable by the related variables or functions.

Applicable Platforms
Language: PHP
Language: Perl

Time Of Introduction

  • Implementation

Common Consequences

ScopeTechnical ImpactNotes
Confidentiality
Integrity
Availability
 
Modify application data
Execute unauthorized code or commands
 
An attacker could gain unauthorized access to variables and execute arbitrary code.
 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Implementation
 
 Avoid dynamic evaluation whenever possible.
 
  
Implementation
 
Input Validation
 
Use only whitelists of acceptable variable or function names.
 
  
Implementation
 
 For function names, ensure that you are only calling functions that accept the proper number of arguments, to avoid unexpected null arguments.
 
  

Relationships

Related CWETypeViewChain
CWE-627 ChildOf CWE-896 Category CWE-888  

Demonstrative Examples
None

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings
None

References:

  1. Steve Christey .Dynamic Evaluation Vulnerabilities in PHP applications. Full-Disclosure. 2006-05-03.
  2. Shaun Clowes .A Study In Scarlet: Exploiting Common Vulnerabilities in PHP Applications.

© 2013 SecPod Technologies