logo

Variable Extraction Error

Incomplete Variant
Structure: Simple
Description

This vulnerability occurs when an application uses unvalidated external input to dynamically select which variables to populate with data. Without proper checks, this can allow an attacker to overwrite critical internal variables, leading to unexpected behavior or security breaches.

Extended Description

In languages like PHP, functions such as `extract()` or `import_request_variables()` can mimic the dangerous behavior of the deprecated `register_globals` feature if called incorrectly. An attacker can manipulate input to overwrite global variables, including superglobals like `$_SESSION` or `$_GET`, potentially bypassing security controls or altering application logic. This pattern is not exclusive to PHP. Many interpreted languages and custom frameworks offer similar dynamic variable assignment features. Developers must always validate or whitelist which variable names are allowed to be set externally, treating user input as data, not as code that defines the program's structure.
Common Consequences 1
Scope: Integrity

Impact: Modify Application Data

An attacker could modify sensitive data or program variables.
Potential Mitigations 3
Phase: Implementation

Strategy: Input Validation

Use allowlists of variable names that can be extracted.
Phase: Implementation
Consider refactoring your code to avoid extraction routines altogether.
Phase: Implementation
In PHP, call extract() with options such as EXTR_SKIP and EXTR_PREFIX_ALL; call import_request_variables() with a prefix argument. Note that these capabilities are not present in all PHP versions.
Demonstrative Examples 1

ID : DX-107

This code uses the credentials sent in a POST request to login a user.

Code Example:

Bad
PHP


//Log user in, and set $isAdmin to true if user is an administrator*


php


The call to extract() will overwrite the existing values of any variables defined previously, in this case $isAdmin. An attacker can send a POST request with an unexpected third value "isAdmin" equal to "true", thus gaining Admin privileges.
  
Observed Examples 5
CVE-2006-7135extract issue enables file inclusion
CVE-2006-7079Chain: PHP app uses extract for register_globals compatibility layer (Variable Extraction Error), enabling path traversal (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'))
CVE-2007-0649extract() buried in include files makes post-disclosure analysis confusing; original report had seemed incorrect.
CVE-2006-6661extract() enables static code injection
CVE-2006-2828import_request_variables() buried in include files makes post-disclosure analysis confusing
   
  
    
 
 
Applicable Platforms 
 
 
 
 
 
Languages:
 
 
 PHP : Undetermined 
  
  
 
 
 
  
 
 
Modes of Introduction 
 
 
 
 
 
  Implementation  
 
 
 
    
Alternate Terms 
Variable overwrite
      
 
 
Related Weaknesses 
 
 
 
 
  ChildOf:
 Improper Control of Dynamically-Identified Variables (CWE-914) 
  CanPrecede:
 Modification of Assumed-Immutable Data (MAID) (CWE-471) 
 
 
 
 
Taxonomy Mapping 
  • Software Fault Patterns
  
Notes 
Research GapProbably under-reported for PHP. Seems under-studied for other interpreted languages.