Dynamic Variable Evaluation |
Weakness ID: 627 (Weakness Base) | Status: Incomplete |
Description Summary
Extended Description
The resultant vulnerabilities depend on the behavior of the application, both at the crossover point and in any control/data flow that is reachable by the related variables or
Avoid dynamic evaluation whenever possible. |
Use only whitelists of acceptable variable or function names. |
For function names, ensure that you are only calling functions that accept the proper number of arguments, to avoid unexpected null arguments. |
Many interpreted languages support the use of a "$$varname" construct to set a variable whose name is specified by the $varname variable. In PHP, these are referred to as "variable variables." Functions might also be invoked using similar syntax, such as $$funcname(arg1, arg2). |
Nature | Type | ID | Name | View(s) this relationship pertains to![]() |
---|---|---|---|---|
ChildOf | ![]() | 94 | Failure to Control Generation of Code ('Code Injection') | Development Concepts (primary)699 Research Concepts (primary)1000 |
PeerOf | ![]() | 183 | Permissive Whitelist | Research Concepts1000 |
PeerOf | ![]() | 621 | Variable Extraction Error | Research Concepts1000 |
Under-studied, probably under-reported. Few researchers look for this issue; most public reports are for PHP, although other languages are affected. This issue is likely to grow in PHP as developers begin to implement functionality in place of register_globals. |
Steve Christey. "Dynamic Evaluation Vulnerabilities in PHP applications". Full-Disclosure. 2006-05-03. <http://seclists.org/fulldisclosure/2006/May/0035.html>. |
Shaun Clowes. "A Study In Scarlet: Exploiting Common Vulnerabilities in PHP Applications". <http://www.securereality.com.au/studyinscarlet.txt>. |