CWE-627 Détail

CWE-627

Nom

Dynamic Variable Evaluation

Statut

Incomplete

Publié

2007-05-07
00h00 +00:00

Modifié

2023-06-29
00h00 +00:00

Liens officiels

CWE Mitre.org

Notifications pour un CWE

Restez informé de toutes modifications pour un CWE spécifique.

Gestion des notifications

Liste des Notifications

Notifications pour un CWE

Restez informé de toutes modifications pour un CWE spécifique.

Paramètres

Vous pouvez spécifier un titre qui sera récupéré dans les alertes qui seront envoyées.

Spécifiez le CWE ID que vous désirez surveiller.

Planifications

Mois

Prochaine exécution calculée

Jour

Jour de la semaine

Heure

Minute

Date de création

Dernière exécution

Prochaine exécution

Fonctionnalité nécessitant une connexion

Cette fonctionnalité qui vous permet de recevoir des alertes, n'est active que lorsque vous êtes connecté à votre compte.

Nom: Dynamic Variable Evaluation

In a language where the user can influence the name of a variable at runtime, if the variable names are not controlled, an attacker can read or write to arbitrary variables, or access arbitrary functions.

Description du CWE

The resultant vulnerabilities depend on the behavior of the application, both at the crossover point and in any control/data flow that is reachable by the related variables or functions.

Informations générales

Informations de base

Many interpreted languages support the use of a "$$varname" construct to set a variable whose name is specified by the $varname variable. In PHP, these are referred to as "variable variables." Functions might also be invoked using similar syntax, such as $$funcname(arg1, arg2).

Modes d'introduction

Implementation

Plateformes applicables

Langue

Name: PHP (Undetermined)
Name: Perl (Undetermined)

Conséquences courantes

Portée	Impact	Probabilité
Confidentiality Integrity Availability	Modify Application Data, Execute Unauthorized Code or Commands Note: An attacker could gain unauthorized access to internal program variables and execute arbitrary code.

Exemples observés

Références	Description
CVE-2009-0422	Chain: Dynamic variable evaluation allows resultant remote file inclusion and path traversal.
CVE-2007-2431	Chain: dynamic variable evaluation in PHP program used to modify critical, unexpected $_SERVER variable for resultant XSS.
CVE-2006-4904	Chain: dynamic variable evaluation in PHP program used to conduct remote file inclusion.
CVE-2006-4019	Dynamic variable evaluation in mail program allows reading and modifying attachments and preferences of other users.

Mesures d’atténuation potentielles

Phases : Implementation
Refactor the code to avoid dynamic variable evaluation whenever possible.
Phases : Implementation
Use only allowlists of acceptable variable or function names.
Phases : Implementation
For function names, ensure that you are only calling functions that accept the proper number of arguments, to avoid unexpected null arguments.

Notes de cartographie des vulnérabilités

Justification : This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Commentaire : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

NotesNotes

Under-studied, probably under-reported. Few researchers look for this issue; most public reports are for PHP, although other languages are affected. This issue is likely to grow in PHP as developers begin to implement functionality in place of register_globals.

Références

REF-517

Dynamic Evaluation Vulnerabilities in PHP applications
Steve Christey.
https://seclists.org/fulldisclosure/2006/May/35

REF-518

A Study In Scarlet: Exploiting Common Vulnerabilities in PHP Applications
Shaun Clowes.
https://securereality.com.au/study-in-scarlett/

Soumission

Nom	Organisation	Date	Date de publication	Version
CWE Content Team	MITRE	2007-05-07 +00:00	2007-05-07 +00:00	Draft 6

Modifications

Nom	Organisation	Date	Commentaire
Eric Dalci	Cigital	2008-07-01 +00:00	updated Time_of_Introduction
CWE Content Team	MITRE	2008-09-08 +00:00	updated Applicable_Platforms, Relationships
CWE Content Team	MITRE	2008-10-14 +00:00	updated Background_Details, Description
CWE Content Team	MITRE	2011-03-29 +00:00	updated Description
CWE Content Team	MITRE	2011-06-01 +00:00	updated Common_Consequences
CWE Content Team	MITRE	2012-05-11 +00:00	updated Common_Consequences, Relationships
CWE Content Team	MITRE	2012-10-30 +00:00	updated Potential_Mitigations
CWE Content Team	MITRE	2013-02-21 +00:00	updated Common_Consequences, Observed_Examples, Potential_Mitigations, Relationships, Weakness_Ordinalities
CWE Content Team	MITRE	2014-07-30 +00:00	updated Relationships
CWE Content Team	MITRE	2017-11-08 +00:00	updated References
CWE Content Team	MITRE	2020-02-24 +00:00	updated Relationships
CWE Content Team	MITRE	2020-06-25 +00:00	updated Potential_Mitigations
CWE Content Team	MITRE	2023-04-27 +00:00	updated References, Relationships, Type
CWE Content Team	MITRE	2023-06-29 +00:00	updated Mapping_Notes

Détail du CWE-627