CWE

Dynamic Variable Evaluation

ID: 627		Date: (C)2012-05-14   (M)2022-10-10
Type: weakness		Status: INCOMPLETE
Abstraction Type: Base

Description

In a language where the user can influence the name of a variable at runtime, if the variable names are not controlled, an attacker can read or write to arbitrary variables, or access arbitrary functions.

Extended Description

The resultant vulnerabilities depend on the behavior of the application, both at the crossover point and in any control/data flow that is reachable by the related variables or functions.

Applicable Platforms
Language: PHP
Language: Perl

Time Of Introduction

• Implementation

Common Consequences

Scope	Technical Impact	Notes
Confidentiality Integrity Availability	Modify application data Execute unauthorized code or commands	An attacker could gain unauthorized access to variables and execute arbitrary code.

Detection Methods
None

Potential Mitigations

Phase	Strategy	Description	Effectiveness	Notes
Implementation		Avoid dynamic evaluation whenever possible.
Implementation	Input Validation	Use only whitelists of acceptable variable or function names.
Implementation		For function names, ensure that you are only calling functions that accept the proper number of arguments, to avoid unexpected null arguments.

Relationships

Related CWE	Type	View	Chain
CWE-627 ChildOf CWE-896	Category	CWE-888

Demonstrative Examples
None

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings
None

References:

1. Steve Christey .Dynamic Evaluation Vulnerabilities in PHP applications. Full-Disclosure. 2006-05-03.
2. Shaun Clowes .A Study In Scarlet: Exploiting Common Vulnerabilities in PHP Applications.