logo

Dynamic Variable Evaluation

Incomplete Variant
Structure: Simple
Description

This vulnerability occurs when an application allows user input to directly determine which variable or function name is used at runtime. Without strict validation, an attacker can manipulate these names to access or modify sensitive data, execute unauthorized functions, or disrupt the application's logic.

Extended Description

The core risk lies in the attacker's ability to influence the target of read, write, or execution operations. By injecting crafted variable or function names, they can bypass intended access controls, potentially leading to data exposure, privilege escalation, or arbitrary code execution. The specific impact depends entirely on what variables and functions are within reach of this manipulation. The severity and nature of the resulting exploit are determined by how the application uses these dynamically evaluated elements. An attacker's control can propagate through the program's data flow, affecting any code paths connected to the compromised variables or functions. Therefore, the damage isn't limited to a single point of injection but can extend to any dependent operations, amplifying the initial breach.
Common Consequences 1
Scope: ConfidentialityIntegrityAvailability

Impact: Modify Application DataExecute Unauthorized Code or Commands

An attacker could gain unauthorized access to internal program variables and execute arbitrary code.
Potential Mitigations 3
Phase: Implementation

Strategy: Refactoring

Refactor the code to avoid dynamic variable evaluation whenever possible.
Phase: Implementation

Strategy: Input Validation

Use only allowlists of acceptable variable or function names.
Phase: Implementation
For function names, ensure that you are only calling functions that accept the proper number of arguments, to avoid unexpected null arguments.
Observed Examples 4
CVE-2009-0422Chain: Dynamic variable evaluation allows resultant remote file inclusion and path traversal.
CVE-2007-2431Chain: dynamic variable evaluation in PHP program used to modify critical, unexpected $_SERVER variable for resultant XSS.
CVE-2006-4904Chain: dynamic variable evaluation in PHP program used to conduct remote file inclusion.
CVE-2006-4019Dynamic variable evaluation in mail program allows reading and modifying attachments and preferences of other users.
References 2
Dynamic Evaluation Vulnerabilities in PHP applications
Steve Christey
Full-Disclosure
03-05-2006
https://seclists.org/fulldisclosure/2006/May/35(2023-04-07)
ID: REF-517
A Study In Scarlet: Exploiting Common Vulnerabilities in PHP Applications
Shaun Clowes
https://securereality.com.au/study-in-scarlett/(2023-04-07)
ID: REF-518
Applicable Platforms
Languages:
PHP : UndeterminedPerl : Undetermined
Modes of Introduction
Implementation
Alternate Terms

Dynamic evaluation
Related Weaknesses
ChildOf: Improper Control of Dynamically-Identified Variables (CWE-914)
PeerOf: Permissive List of Allowed Inputs (CWE-183)
Notes
Research GapUnder-studied, probably under-reported. Few researchers look for this issue; most public reports are for PHP, although other languages are affected. This issue is likely to grow in PHP as developers begin to implement functionality in place of register_globals.