CWE-914: Improper Control of Dynamically-Identified Variables

Description

The product does not properly restrict reading from or writing to dynamically-identified variables.

Submission Date :

Jan. 26, 2013, midnight

Modification Date :

2023-10-26 00:00:00+00:00

Organization :

MITRE
Extended Description

Many languages offer powerful features that allow the programmer to access arbitrary variables that are specified by an input string. While these features can offer significant flexibility and reduce development time, they can be extremely dangerous if attackers can modify unintended variables that have security implications.

Example Vulnerable Codes

Example - 1

This code uses the credentials sent in a POST request to login a user.

// //Log user in, and set $isAdmin to true if user is an administrator// 

$isAdmin = true;$query = buildQuery($user,$pass);mysql_query($query);if(getUserRole($user) == "Admin"){}
function login($user,$pass){}$isAdmin = false;extract($_POST);login(mysql_real_escape_string($user),mysql_real_escape_string($pass));

The call to extract() will overwrite the existing values of any variables defined previously, in this case $isAdmin. An attacker can send a POST request with an unexpected third value "isAdmin" equal to "true", thus gaining Admin privileges.

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-99: Improper Control of Resource Identifiers ('Resource Injection')
Go to
CWE-621: Variable Extraction Error
Go to
CWE-627: Dynamic Variable Evaluation
Go to
CWE-913: Improper Control of Dynamically-Managed Code Resources
Go to

Visit http://cwe.mitre.org/ for more details.