CWE-621 Detail

CWE-621

Variable Extraction Error
Incomplete
2007-05-07
00h00 +00:00
2023-10-26
00h00 +00:00
CWE Mitre.org
Notifications for a CWE
Stay informed of any changes for a specific CWE.
Notifications manage

Name: Variable Extraction Error

The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the program to overwrite unintended variables.

CWE Description

For example, in PHP, extraction can be used to provide functionality similar to register_globals, a dangerous functionality that is frequently disabled in production systems. Calling extract() or import_request_variables() without the proper arguments could allow arbitrary global variables to be overwritten, including superglobals.

Similar functionality is possible in other interpreted languages, including custom languages.

General Informations

Modes Of Introduction

Implementation

Applicable Platforms

Language

Name: PHP (Undetermined)

Common Consequences

Scope Impact Likelihood
IntegrityModify Application Data

Note: An attacker could modify sensitive data or program variables.

Observed Examples

References Description

CVE-2006-7135

extract issue enables file inclusion

CVE-2006-7079

Chain: PHP app uses extract for register_globals compatibility layer (CWE-621), enabling path traversal (CWE-22)

CVE-2007-0649

extract() buried in include files makes post-disclosure analysis confusing; original report had seemed incorrect.

CVE-2006-6661

extract() enables static code injection

CVE-2006-2828

import_request_variables() buried in include files makes post-disclosure analysis confusing

Potential Mitigations

Phases : Implementation
Use allowlists of variable names that can be extracted.
Phases : Implementation
Consider refactoring your code to avoid extraction routines altogether.
Phases : Implementation
In PHP, call extract() with options such as EXTR_SKIP and EXTR_PREFIX_ALL; call import_request_variables() with a prefix argument. Note that these capabilities are not present in all PHP versions.

Vulnerability Mapping Notes

Justification : This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comment : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

NotesNotes

Probably under-reported for PHP. Seems under-studied for other interpreted languages.

Submission

Name Organization Date Date release Version
CWE Content Team MITRE 2007-05-07 +00:00 2007-05-07 +00:00 Draft 6

Modifications

Name Organization Date Comment
Eric Dalci Cigital 2008-07-01 +00:00 updated Time_of_Introduction
CWE Content Team MITRE 2008-09-08 +00:00 updated Description, Relationships, Observed_Example, Other_Notes, Weakness_Ordinalities
CWE Content Team MITRE 2008-10-14 +00:00 updated Description
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences
CWE Content Team MITRE 2012-05-11 +00:00 updated Common_Consequences, Demonstrative_Examples, Relationships
CWE Content Team MITRE 2012-10-30 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2013-02-21 +00:00 updated Demonstrative_Examples, Relationships
CWE Content Team MITRE 2014-06-23 +00:00 updated Description, Other_Notes
CWE Content Team MITRE 2014-07-30 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2020-02-24 +00:00 updated Relationships
CWE Content Team MITRE 2020-06-25 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2022-04-28 +00:00 updated Research_Gaps
CWE Content Team MITRE 2023-04-27 +00:00 updated Relationships, Type
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2023-10-26 +00:00 updated Observed_Examples