CWE-616: Incomplete Identification of Uploaded File Variables (PHP)
Description
The PHP application uses an old method for processing uploaded files by referencing the four global variables that are set for each file (e.g. $varname, $varname_size, $varname_name, $varname_type). These variables could be overwritten by attackers, causing the application to process unauthorized files.
Submission Date :
May 7, 2007, midnight
Modification Date :
2023-06-29 00:00:00+00:00
Organization :
MITRE
Extended Description
These global variables could be overwritten by POST requests, cookies, or other methods of populating or overwriting these variables. This could be used to read or process arbitrary files by providing values such as "/etc/passwd".
Example - 1
As of 2006, the "four globals" method is probably in sharp decline, but older PHP applications could have this issue.
In the "four globals" method, PHP sets the following 4 global variables (where "varname" is application-dependent):
$varname = name of the temporary file on local machine$varname_size = size of file$varname_name = original name of file provided by client$varname_type = MIME type of the fileExample - 2
"The global $_FILES exists as of PHP 4.1.0 (Use $HTTP_POST_FILES instead if using an earlier version). These arrays will contain all the uploaded file information."
$_FILES['userfile']['name'] - original filename from client$_FILES['userfile']['tmp_name'] - the temp filename of the file on the server** note: 'userfile' is the field name from the web form; this can vary.
Related Weaknesses
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.
Visit http://cwe.mitre.org/ for more details.