1. Home
  2. CWE Database
  3. CWE-473
Variant · Low-Medium

CWE-473: PHP External Variable Modification

A PHP application does not properly protect against the modification of variables from external sources, such as query parameters or cookies. This can expose the application to numerous weaknesses tha...

CWE-473 · Variant Level ·5 CVEs ·1 Mitigations

Description

A PHP application does not properly protect against the modification of variables from external sources, such as query parameters or cookies. This can expose the application to numerous weaknesses that would not exist otherwise.

Potential Impact

Integrity

Modify Application Data

Mitigations & Prevention

RequirementsImplementation

Carefully identify which variables can be controlled or influenced by an external user, and consider adopting a naming convention to emphasize when externally modifiable variables are being used. An application should be reluctant to trust variables that have been initialized outside of its trust boundary. Ensure adequate checking is performed when relying on input from outside a trust boundary. Do not allow your application to run with register_globals enabled. If you implement a register_globa

Real-World CVE Examples

CVE IDDescription
CVE-2000-0860File upload allows arbitrary file read by setting hidden form variables to match internal variable names.
CVE-2001-0854Mistakenly trusts $PHP_SELF variable to determine if include script was called by its parent.
CVE-2002-0764PHP remote file inclusion by modified assumed-immutable variable.
CVE-2001-1025Modify key variable when calling scripts that don't load a library that initializes it.
CVE-2003-0754Authentication bypass by modifying array used for authentication.

CWE-471: Modification of Assumed-Immutable Data (MAID)

The product does not properly protect an assumed-immutable element from being modified by an attacker.

CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the inp...

Taxonomy Mappings

  • PLOVER: — PHP External Variable Modification

Frequently Asked Questions

What is CWE-473?

CWE-473 (PHP External Variable Modification) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. A PHP application does not properly protect against the modification of variables from external sources, such as query parameters or cookies. This can expose the application to numerous weaknesses tha...

How can CWE-473 be exploited?

Attackers can exploit CWE-473 (PHP External Variable Modification) to modify application data. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-473?

Key mitigations include: Carefully identify which variables can be controlled or influenced by an external user, and consider adopting a naming convention to emphasize when externally modifiable variables are being used. An a

What is the severity of CWE-473?

CWE-473 is classified as a Variant-level weakness (Low-Medium abstraction). It has been observed in 5 real-world CVEs.