Détail du CWE-621

CWE-621

Variable Extraction Error
Incomplete
2007-05-07
00h00 +00:00
2023-10-26
00h00 +00:00
CWE Mitre.org
Notifications pour un CWE
Restez informé de toutes modifications pour un CWE spécifique.
Gestion des notifications

Nom: Variable Extraction Error

The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the program to overwrite unintended variables.

Description du CWE

For example, in PHP, extraction can be used to provide functionality similar to register_globals, a dangerous functionality that is frequently disabled in production systems. Calling extract() or import_request_variables() without the proper arguments could allow arbitrary global variables to be overwritten, including superglobals.

Similar functionality is possible in other interpreted languages, including custom languages.

Informations générales

Modes d'introduction

Implementation

Plateformes applicables

Langue

Name: PHP (Undetermined)

Conséquences courantes

Portée Impact Probabilité
IntegrityModify Application Data

Note: An attacker could modify sensitive data or program variables.

Exemples observés

Références Description

CVE-2006-7135

extract issue enables file inclusion

CVE-2006-7079

Chain: PHP app uses extract for register_globals compatibility layer (CWE-621), enabling path traversal (CWE-22)

CVE-2007-0649

extract() buried in include files makes post-disclosure analysis confusing; original report had seemed incorrect.

CVE-2006-6661

extract() enables static code injection

CVE-2006-2828

import_request_variables() buried in include files makes post-disclosure analysis confusing

Mesures d’atténuation potentielles

Phases : Implementation
Use allowlists of variable names that can be extracted.
Phases : Implementation
Consider refactoring your code to avoid extraction routines altogether.
Phases : Implementation
In PHP, call extract() with options such as EXTR_SKIP and EXTR_PREFIX_ALL; call import_request_variables() with a prefix argument. Note that these capabilities are not present in all PHP versions.

Notes de cartographie des vulnérabilités

Justification : This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Commentaire : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

NotesNotes

Probably under-reported for PHP. Seems under-studied for other interpreted languages.

Soumission

Nom Organisation Date Date de publication Version
CWE Content Team MITRE 2007-05-07 +00:00 2007-05-07 +00:00 Draft 6

Modifications

Nom Organisation Date Commentaire
Eric Dalci Cigital 2008-07-01 +00:00 updated Time_of_Introduction
CWE Content Team MITRE 2008-09-08 +00:00 updated Description, Relationships, Observed_Example, Other_Notes, Weakness_Ordinalities
CWE Content Team MITRE 2008-10-14 +00:00 updated Description
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences
CWE Content Team MITRE 2012-05-11 +00:00 updated Common_Consequences, Demonstrative_Examples, Relationships
CWE Content Team MITRE 2012-10-30 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2013-02-21 +00:00 updated Demonstrative_Examples, Relationships
CWE Content Team MITRE 2014-06-23 +00:00 updated Description, Other_Notes
CWE Content Team MITRE 2014-07-30 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2020-02-24 +00:00 updated Relationships
CWE Content Team MITRE 2020-06-25 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2022-04-28 +00:00 updated Research_Gaps
CWE Content Team MITRE 2023-04-27 +00:00 updated Relationships, Type
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2023-10-26 +00:00 updated Observed_Examples