CWE-914: Improper Control of Dynamically-Identified Variables
Description
The product does not properly restrict reading from or writing to dynamically-identified variables.
Submission Date :
Jan. 26, 2013, midnight
Modification Date :
2023-10-26 00:00:00+00:00
Organization :
MITRE
Extended Description
Many languages offer powerful features that allow the programmer to access arbitrary variables that are specified by an input string. While these features can offer significant flexibility and reduce development time, they can be extremely dangerous if attackers can modify unintended variables that have security implications.
Example - 1
This code uses the credentials sent in a POST request to login a user. The call to extract() will overwrite the existing values of any variables defined previously, in this case $isAdmin. An attacker can send a POST request with an unexpected third value "isAdmin" equal to "true", thus gaining Admin privileges.// //Log user in, and set $isAdmin to true if user is an administrator//
$isAdmin = true;$query = buildQuery($user,$pass);mysql_query($query);if(getUserRole($user) == "Admin"){}
function login($user,$pass){}$isAdmin = false;extract($_POST);login(mysql_real_escape_string($user),mysql_real_escape_string($pass));
Related Weaknesses
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.
Visit http://cwe.mitre.org/ for more details.