Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-621 (变量抽取错误) — Vulnerability Class 1

1 vulnerabilities classified as CWE-621 (变量抽取错误). AI Chinese analysis included.

CWE-621 represents a critical input validation weakness where software dynamically assigns external user input to variable names without verifying their legitimacy. This flaw typically allows attackers to manipulate program state by injecting malicious identifiers, effectively overwriting unintended variables or injecting arbitrary data into the application’s memory space. In languages like PHP, this vulnerability mimics the dangers of deprecated features such as register_globals, enabling attackers to bypass security controls and execute unauthorized operations. To mitigate this risk, developers must strictly sanitize and validate all external inputs before using them as variable identifiers. Implementing allowlists for permissible variable names, avoiding dynamic variable assignment from untrusted sources, and enforcing strict type checking are essential practices. By ensuring that only predefined, safe variables are accessible, developers can prevent unintended state modifications and maintain application integrity against exploitation attempts.

MITRE CWE Description
The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the program to overwrite unintended variables. For example, in PHP, extraction can be used to provide functionality similar to register_globals, a dangerous functionality that is frequently disabled in production systems. Calling extract() or import_request_variables() without the proper arguments could allow arbitrary global variables to be overwritten, including superglobals. Similar functionality is possible in other interpreted languages, including custom languages.
Common Consequences (1)
IntegrityModify Application Data
An attacker could modify sensitive data or program variables.
Mitigations (3)
ImplementationUse allowlists of variable names that can be extracted.
ImplementationConsider refactoring your code to avoid extraction routines altogether.
ImplementationIn PHP, call extract() with options such as EXTR_SKIP and EXTR_PREFIX_ALL; call import_request_variables() with a prefix argument. Note that these capabilities are not present in all PHP versions.
Examples (1)
This code uses the credentials sent in a POST request to login a user.
//Log user in, and set $isAdmin to true if user is an administrator function login($user,$pass){ $query = buildQuery($user,$pass); mysql_query($query); if(getUserRole($user) == "Admin"){ $isAdmin = true; } } $isAdmin = false; extract($_POST); login(mysql_real_escape_string($user),mysql_real_escape_string($pass));
Bad · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2018-6334 Facebook HHVM 安全漏洞 — HHVM 9.8 -2018-12-31

Vulnerabilities classified as CWE-621 (变量抽取错误) represent 1 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.