CWE-621

Variable Extraction Error

AI Translation Available

The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the program to overwrite unintended variables.

Status

incomplete

Abstraction

variant

Affected Platforms

PHP

Extended Description

AI Translation

For example, in PHP, extraction can be used to provide functionality similar to register_globals, a dangerous functionality that is frequently disabled in production systems. Calling extract() or import_request_variables() without the proper arguments could allow arbitrary global variables to be overwritten, including superglobals.

Similar functionality is possible in other interpreted languages, including custom languages.

Technical Details

AI Translation

Common Consequences

integrity

Impacts

modify application data

Potential Mitigations

Phases:

implementation

Descriptions:

• Consider refactoring your code to avoid extraction routines altogether.

• Use allowlists of variable names that can be extracted.

• In PHP, call extract() with options such as EXTR_SKIP and EXTR_PREFIX_ALL; call import_request_variables() with a prefix argument. Note that these capabilities are not present in all PHP versions.

AI Generated Translation

Common Consequences

integrità

Impacts

modificare dati applicazione

Potential Mitigations

Phases:

implementazione

Descriptions:

• Considera di ristrutturare il tuo codice per evitare del tutto le routine di estrazione.

• Utilizzare whitelist di nomi di variabili che possono essere estratti.

• In PHP, chiama extract() con opzioni come EXTR_SKIP e EXTR_PREFIX_ALL; chiama import_request_variables() con un argomento prefisso. Nota che queste funzionalità non sono presenti in tutte le versioni di PHP.

CWE-621

Common Consequences

Impacts

Potential Mitigations

Common Consequences

Impacts

Potential Mitigations

Iscriviti alla newsletter