Incomplete Identification of Uploaded File Variables (PHP)
Weakness ID: 616 (Weakness Variant)Status: Incomplete
+ Description

Description Summary

The PHP application uses an old method for processing uploaded files by referencing the four global variables that are set for each file (e.g. $varname, $varname_size, $varname_name, $varname_type). These variables could be overwritten by attackers, causing the application to process unauthorized files.

Extended Description

These global variables could be overwritten by POST requests, cookies, or other methods of populating or overwriting these variables This could be used to read or process arbitrary files by providing values such as "/etc/passwd".

+ Time of Introduction
  • Implementation
+ Applicable Platforms



+ Demonstrative Examples

Example 1

As of 2006, the "four globals" method is probably in sharp decline, but older PHP applications could have this issue.

In the "four globals" method, PHP sets the following 4 global variables (where "varname" is application-dependent):

(Bad Code)
Example Language: PHP 
$varname = name of the temporary file on local machine
$varname_size = size of file
$varname_name = original name of file provided by client
$varname_type = MIME type of the file

Example 2

"The global $_FILES exists as of PHP 4.1.0 (Use $HTTP_POST_FILES instead if using an earlier version). These arrays will contain all the uploaded file information."

(Bad Code)
Example Language: PHP 
$_FILES['userfile']['name'] - original filename from client
$_FILES['userfile']['tmp_name'] - the temp filename of the file on the server

** note: 'userfile' is the field name from the web form; this can vary.

+ Observed Examples
CVE-2002-1460program does not distinguish between normal $ POST variables and the ones that are used for recognizing that a file has been downloaded.
CVE-2002-1710CVE-2002-1759product doesn't check if the variables for an upload were set by uploading the file, or other methods such as $ POST.
CVE-2002-1460PHP web forum does not properly verify whether a file was uploaded, allowing attackers to reference other files by modifying POST variables.
CVE-2002-1710product does not distinguish uploaded file from other files.
CVE-2002-1759PHP script does not restrict access to uploaded files. Overlaps container error.
+ Potential Mitigations

Phase: Architecture and Design

Use PHP 4 or later.

Phase: Architecture and Design

If you must support older PHP versions, write your own version of is_uploaded_file() and run it against $HTTP_POST_FILES['userfile']))

For later PHP versions, reference uploaded files using the $HTTP_POST_FILES or $_FILES variables, and use is_uploaded_file() or move_uploaded_file() to ensure that you are dealing with an uploaded file.

+ Weakness Ordinalities
(where the weakness exists independent of other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class345Insufficient Verification of Data Authenticity
Research Concepts (primary)1000
ChildOfCategoryCategory429Handler Errors
Development Concepts (primary)699
PeerOfWeakness VariantWeakness Variant473PHP External Variable Modification
Research Concepts1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERIncomplete Identification of Uploaded File Variables (PHP)
+ References
Shaun Clowes. "A Study in Scarlet - section 5, "File Upload"".
+ Content History
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Observed Example, Other Notes, Taxonomy Mappings, Weakness Ordinalities
2008-10-14CWE Content TeamMITREInternal
updated Description, Other Notes, Potential Mitigations