CWE - CWE-473: PHP External Variable Modification (1.0)

Home > CWE List > CWE- Individual Dictionary Definition (1.0)

CWE List
Full Dictionary View
Development View
Research View
Reports

About
Sources
Process
Documents

Community
Related Activities
Discussion List
Research

News
Calendar
Free Newsletter

Compatibility
Program
Requirements
Declarations
Make a Declaration

Contact Us
Search the Site

CWE-473: PHP External Variable Modification

Individual Definition in a New Window

PHP External Variable Modification

Status: Draft

Weakness ID: 473 (Weakness Variant)

Description

Summary

A PHP application does not properly protect against the modification of variables from external sources, such as query parameters or cookies. This can expose the application to numerous weaknesses that would not exist otherwise.

Potential Mitigations

Carefully identify which variables can be controlled or influenced by an external user, and consider adopting a naming convention to emphasize when externally modifiable variables are being used. An application should be reluctant to trust variables that have been initialized outside of its trust boundary. Ensure adequate checking is performed when relying on input from outside a trust boundary. Do not allow your application to run with register_globals enabled. If you implement a register_globals emulator, be extremely careful of variable extraction, dynamic evaluation, and similar issues, since weaknesses in your emulation could allow external variable modification to take place even without register_globals.

Observed Examples

Reference	Description
CVE-2000-0860	File upload allows arbitrary file read by setting hidden form variables to match internal variable names.
CVE-2001-0854	Mistakenly trusts $PHP_SELF variable to determine if include script was called by its parent.
CVE-2002-0764	PHP remote file inclusion by modified assumed-immutable variable.
CVE-2001-1025	Modify key variable when calling scripts that don't load a library that initializes it.
CVE-2003-0754	Authentication bypass by modifying array used for authentication.

Other Notes

This is a language-specific instance of Modification of Assumed-Immutable Data (MAID). This can be resultant from direct request (alternate path) issues. It can be primary to weaknesses such as PHP file inclusion, SQL injection, XSS, authentication bypass, and others.

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Weakness Base	471	Modification of Assumed-Immutable Data (MAID)	Development Concepts (primary)699 Research Concepts (primary)1000
CanPrecede	Compound Element: Composite	98	Insufficient Control of Filename for Include/Require Statement in PHP Program (aka 'PHP File Inclusion')	Research Concepts1000
PeerOf	Weakness Variant	616	Incomplete Identification of Uploaded File Variables (PHP)	Research Concepts1000
RequiredBy	Compound Element: Composite	98	Insufficient Control of Filename for Include/Require Statement in PHP Program (aka 'PHP File Inclusion')	Research Concepts1000

Taxonomy Mappings

Mapped Taxonomy Name	Mapped Node Name
PLOVER	PHP External Variable Modification

Applicable Platforms

Languages

PHP

Time of Introduction

Implementation

Related Attack Patterns

CAPEC-ID	(CAPEC Version 1.1)Attack Pattern Name
77	Manipulating User-Controlled Variables

Content History

Submissions

PLOVER. (Externally Mined)

Modifications

Eric Dalci. Cigital. 2008-07-01. (External)

updated Time_of_Introduction

CWE Content Team. MITRE. 2008-09-08. (Internal)

updated Relationships, Other_Notes, Taxonomy_Mappings

Page Last Updated: September 10, 2008


	CWE is a Software Assurance strategic initiative sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is hosted by The MITRE Corporation. Copyright 2008, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us