Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-616 (上传文件变量的不完整标识(PHP)) — Vulnerability Class 1

1 vulnerabilities classified as CWE-616 (上传文件变量的不完整标识(PHP)). AI Chinese analysis included.

CWE-616 represents a critical input validation weakness in PHP applications that rely on legacy file upload handling mechanisms. This vulnerability arises when developers directly reference global variables, such as $varname or $varname_name, which are automatically populated by the PHP engine upon file submission. Attackers typically exploit this flaw by manipulating HTTP requests, including POST data, cookies, or headers, to overwrite these sensitive global variables. By injecting malicious filenames or MIME types, adversaries can trick the application into processing unauthorized files, potentially leading to remote code execution or file inclusion attacks. To mitigate this risk, developers must avoid using these deprecated global variables entirely. Instead, they should utilize the secure $_FILES superglobal array, which provides a controlled and validated interface for accessing uploaded file metadata, thereby ensuring that file attributes cannot be tampered with through external request manipulation.

MITRE CWE Description
The PHP application uses an old method for processing uploaded files by referencing the four global variables that are set for each file (e.g. $varname, $varname_size, $varname_name, $varname_type). These variables could be overwritten by attackers, causing the application to process unauthorized files. These global variables could be overwritten by POST requests, cookies, or other methods of populating or overwriting these variables. This could be used to read or process arbitrary files by providing values such as "/etc/passwd".
Common Consequences (1)
Confidentiality, IntegrityRead Files or Directories, Modify Files or Directories
Mitigations (3)
Architecture and DesignUse PHP 4 or later.
Architecture and DesignIf you must support older PHP versions, write your own version of is_uploaded_file() and run it against $HTTP_POST_FILES['userfile']))
ImplementationFor later PHP versions, reference uploaded files using the $HTTP_POST_FILES or $_FILES variables, and use is_uploaded_file() or move_uploaded_file() to ensure that you are dealing with an uploaded file.
Examples (2)
As of 2006, the "four globals" method is probably in sharp decline, but older PHP applications could have this issue.
$varname = name of the temporary file on local machine $varname_size = size of file $varname_name = original name of file provided by client $varname_type = MIME type of the file
Bad · PHP
"The global $_FILES exists as of PHP 4.1.0 (Use $HTTP_POST_FILES instead if using an earlier version). These arrays will contain all the uploaded file information."
$_FILES['userfile']['name'] - original filename from client $_FILES['userfile']['tmp_name'] - the temp filename of the file on the server
Bad · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2024-52305 UnoPim Stored XSS : Cookie hijacking through Create User function — unopim 6.5 Medium2024-11-13

Vulnerabilities classified as CWE-616 (上传文件变量的不完整标识(PHP)) represent 1 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.