Improper Control of Dynamically-Identified Variables

Description

This vulnerability occurs when an application fails to properly secure access to variables whose names are determined at runtime, allowing attackers to read or modify data they shouldn't have access to.

Extended Description

Many programming languages provide dynamic variable access features—like using string inputs to directly reference variable names—which can accelerate development by offering great flexibility. However, when these features accept unvalidated user input, they create a dangerous pathway for attackers to manipulate critical variables controlling authentication, authorization, or application logic. This risk is especially severe because attackers can often guess or discover variable names with security significance, such as those holding user permissions, configuration flags, or sensitive data. To prevent this, developers must avoid using dynamic variable access with user-controlled input entirely, or implement strict allow-list validation to restrict which variable names can be referenced through these mechanisms.

Common Consequences 3

Scope: Integrity

Impact: Modify Application Data

An attacker could modify sensitive data or program variables.

Scope: Integrity

Impact: Execute Unauthorized Code or Commands

Scope: OtherIntegrity

Impact: Varies by ContextAlter Execution Logic

Potential Mitigations 2

Phase: Implementation

Strategy: Input Validation

For any externally-influenced input, check the input against an allowlist of internal program variables that are allowed to be modified.

Phase: ImplementationArchitecture and Design

Strategy: Refactoring

Refactor the code so that internal program variables do not need to be dynamically identified.

Demonstrative Examples 1

ID : DX-107

This code uses the credentials sent in a POST request to login a user.

Code Example:

Bad

PHP

//Log user in, and set $isAdmin to true if user is an administrator*

php

The call to extract() will overwrite the existing values of any variables defined previously, in this case $isAdmin. An attacker can send a POST request with an unexpected third value "isAdmin" equal to "true", thus gaining Admin privileges.

Observed Examples 9

CVE-2006-7135extract issue enables file inclusion

CVE-2006-7079Chain: extract used for register_globals compatibility layer, enables path traversal (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'))

CVE-2007-0649extract() buried in include files makes post-disclosure analysis confusing; original report had seemed incorrect.

CVE-2006-6661extract() enables static code injection

CVE-2006-2828import_request_variables() buried in include files makes post-disclosure analysis confusing

CVE-2009-0422Chain: Dynamic variable evaluation allows resultant remote file inclusion and path traversal.

CVE-2007-2431Chain: dynamic variable evaluation in PHP program used to modify critical, unexpected $_SERVER variable for resultant XSS.

CVE-2006-4904Chain: dynamic variable evaluation in PHP program used to conduct remote file inclusion.

CVE-2006-4019Dynamic variable evaluation in mail program allows reading and modifying attachments and preferences of other users.