Variable Extraction Error
Weakness ID: 621 (Weakness Base)Status: Incomplete
+ Description

Description Summary

The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the program to overwrite unintended variables.

Extended Description

For example, in PHP, calling extract() or import_request_variables() without the proper arguments could allow arbitrary global variables to be overwritten, including superglobals. Similar functionality might be possible in other interpreted languages, including custom languages.

+ Alternate Terms
Variable overwrite
+ Time of Introduction
  • Implementation
+ Applicable Platforms



+ Observed Examples
CVE-2006-7135extract issue enables file inclusion
CVE-2006-7079extract used for register globals compatibility layer, enables path traversal
CVE-2007-0649extract() buried in include files makes post-disclosure analysis confusing; original report had seemed incorrect.
CVE-2006-6661extract() enables static code injection
CVE-2006-2828import request variables() buried in include files makes post-disclosure analysis confusing
+ Potential Mitigations

Use whitelists of variable names that can be extracted.

Consider refactoring your code to avoid extraction routines altogether.

In PHP, call extract() with options such as EXTR_SKIP and EXTR_PREFIX_ALL; call import_request_variables() with a prefix argument. Note that these capabilities are not present in all PHP versions.

+ Other Notes

In general, variable extraction can make control and data flow analysis difficult to perform. For PHP, extraction can be used to provide functionality similar to register_globals, which is frequently disabled in production systems. Many PHP versions will overwrite superglobals in extract/import_request_variables calls.

+ Weakness Ordinalities
(where the weakness exists independent of other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class20Improper Input Validation
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class94Failure to Control Generation of Code ('Code Injection')
Research Concepts (primary)1000
PeerOfWeakness BaseWeakness Base99Improper Control of Resource Identifiers ('Resource Injection')
Research Concepts1000
PeerOfWeakness BaseWeakness Base471Modification of Assumed-Immutable Data (MAID)
Research Concepts1000
PeerOfWeakness BaseWeakness Base627Dynamic Variable Evaluation
Research Concepts1000
+ Research Gaps

Probably under-reported for PHP. Under-studied for other interpreted languages.

+ Content History
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Description, Relationships, Observed Example, Other Notes, Weakness Ordinalities
2008-10-14CWE Content TeamMITREInternal
updated Description