logo

External Initialization of Trusted Variables or Data Stores

Draft Base
Structure: Simple
Description

The product initializes critical internal variables or data stores using inputs that can be modified by untrusted actors.

Extended Description

A product system should be reluctant to trust variables that have been initialized outside of its trust boundary, especially if they are initialized by users. The variables may have been initialized incorrectly. If an attacker can initialize the variable, then they can influence what the vulnerable system will do.
Common Consequences 1
Scope: Integrity

Impact: Modify Application Data

An attacker could gain access to and modify sensitive data or system information.
Potential Mitigations 2
Phase: Implementation

Strategy: Input Validation

A product system should be reluctant to trust variables that have been initialized outside of its trust boundary. Ensure adequate checking (e.g. input validation) is performed when relying on input from outside a trust boundary.
Phase: Architecture and Design
Avoid any external control of variables. If necessary, restrict the variables that can be modified using an allowlist, and use a different namespace or naming convention if possible.
Demonstrative Examples 2
In the Java example below, a system property controls the debug level of the application.

Code Example:

Bad
Java
java
If an attacker is able to modify the system property, then it may be possible to coax the application into divulging sensitive information by virtue of the fact that additional debug information is printed/exposed as the debug level increases.
This code checks the HTTP POST request for a debug switch, and enables a debug mode if the switch is set.

Code Example:

Bad
PHP
php

/.../*

php
Any user can activate the debug mode, gaining administrator privileges. An attacker may also use the information printed by the phpinfo() function to further exploit the system. .
This example also exhibits Information Exposure Through Debug Information (Insertion of Sensitive Information Into Debugging Code)
  
Observed Examples 5
CVE-2022-43468WordPress module sets internal variables based on external inputs, allowing false reporting of the number of views
CVE-2000-0959Does not clear dangerous environment variables, enabling symlink attack.
CVE-2001-0033Specify alternate configuration directory in environment variable, enabling untrusted path.
CVE-2001-0872Dangerous environment variable not cleansed.
CVE-2001-0084Specify arbitrary modules using environment variable.
   
  
    
 
 
Applicable Platforms 
 
 
 
 
 
Languages:
 
 
 PHP : SometimesNot Language-Specific : Undetermined 
  
  
 
 
 
  
 
 
Modes of Introduction 
 
 
 
 
 
  Architecture and Design  
 
  Implementation  
 
 
 
          
 
 
Related Weaknesses 
 
 
 
 
  ChildOf:
 Incorrect Initialization of Resource (CWE-1419) 
  CanAlsoBe:
 Missing Initialization of a Variable (CWE-456) 
 
 
 
 
Taxonomy Mapping 
  • PLOVER
  • Software Fault Patterns
  
Notes 
RelationshipOverlaps Missing variable initialization, especially in PHP.
Applicable Platform

This is often found in PHP due to register_globals and the common practice of storing library/include files under the web document root so that they are available using a direct request.