logo

Variable Extraction Error

Incomplete Variant
Structure: Simple
Description

The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the program to overwrite unintended variables.

Extended Description

For example, in PHP, extraction can be used to provide functionality similar to register_globals, a dangerous functionality that is frequently disabled in production systems. Calling extract() or import_request_variables() without the proper arguments could allow arbitrary global variables to be overwritten, including superglobals. Similar functionality is possible in other interpreted languages, including custom languages.

Common Consequences 1
Scope: Integrity

Impact: Modify Application Data

An attacker could modify sensitive data or program variables.
Potential Mitigations 3
Phase: Implementation

Strategy: Input Validation

Use allowlists of variable names that can be extracted.
Phase: Implementation
Consider refactoring your code to avoid extraction routines altogether.
Phase: Implementation
In PHP, call extract() with options such as EXTR_SKIP and EXTR_PREFIX_ALL; call import_request_variables() with a prefix argument. Note that these capabilities are not present in all PHP versions.
Demonstrative Examples 1

ID : DX-107

This code uses the credentials sent in a POST request to login a user.

Code Example:

Bad
PHP


//Log user in, and set $isAdmin to true if user is an administrator*


php


The call to extract() will overwrite the existing values of any variables defined previously, in this case $isAdmin. An attacker can send a POST request with an unexpected third value "isAdmin" equal to "true", thus gaining Admin privileges.
  
Observed Examples 5
CVE-2006-7135extract issue enables file inclusion
CVE-2006-7079Chain: PHP app uses extract for register_globals compatibility layer (Variable Extraction Error), enabling path traversal (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'))
CVE-2007-0649extract() buried in include files makes post-disclosure analysis confusing; original report had seemed incorrect.
CVE-2006-6661extract() enables static code injection
CVE-2006-2828import_request_variables() buried in include files makes post-disclosure analysis confusing
   
  
    
 
 
Applicable Platforms 
 
 
 
 
 
Languages:
 
 
 PHP : Undetermined 
  
  
 
 
 
  
 
 
Modes of Introduction 
 
 
 
 
 
  Implementation  
 
 
 
    
Alternate Terms 
Variable overwrite
      
 
 
Related Weaknesses 
 
 
 
 
  ChildOf:
 Improper Control of Dynamically-Identified Variables (CWE-914) 
  CanPrecede:
 Modification of Assumed-Immutable Data (MAID) (CWE-471) 
 
 
 
 
Taxonomy Mapping 
  • Software Fault Patterns
  
Notes 
Research GapProbably under-reported for PHP. Seems under-studied for other interpreted languages.