1. Home
  2. CWE Database
  3. CWE-621
Variant · Low-Medium

CWE-621: Variable Extraction Error

The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the pro...

CWE-621 · Variant Level ·5 CVEs ·3 Mitigations

Description

The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the program to overwrite unintended variables.

For example, in PHP, extraction can be used to provide functionality similar to register_globals, a dangerous functionality that is frequently disabled in production systems. Calling extract() or import_request_variables() without the proper arguments could allow arbitrary global variables to be overwritten, including superglobals. Similar functionality is possible in other interpreted languages, including custom languages.

Potential Impact

Integrity

Modify Application Data

Demonstrative Examples

This code uses the credentials sent in a POST request to login a user.
Bad
//Log user in, and set $isAdmin to true if user is an administrator
                     
                     function login($user,$pass){$query = buildQuery($user,$pass);mysql_query($query);if(getUserRole($user) == "Admin"){$isAdmin = true;}}
                     $isAdmin = false;extract($_POST);login(mysql_real_escape_string($user),mysql_real_escape_string($pass));
The call to extract() will overwrite the existing values of any variables defined previously, in this case $isAdmin. An attacker can send a POST request with an unexpected third value "isAdmin" equal to "true", thus gaining Admin privileges.

Mitigations & Prevention

Implementation

Use allowlists of variable names that can be extracted.

Implementation

Consider refactoring your code to avoid extraction routines altogether.

Implementation

In PHP, call extract() with options such as EXTR_SKIP and EXTR_PREFIX_ALL; call import_request_variables() with a prefix argument. Note that these capabilities are not present in all PHP versions.

Real-World CVE Examples

CVE IDDescription
CVE-2006-7135extract issue enables file inclusion
CVE-2006-7079Chain: PHP app uses extract for register_globals compatibility layer (CWE-621), enabling path traversal (CWE-22)
CVE-2007-0649extract() buried in include files makes post-disclosure analysis confusing; original report had seemed incorrect.
CVE-2006-6661extract() enables static code injection
CVE-2006-2828import_request_variables() buried in include files makes post-disclosure analysis confusing

CWE-914: Improper Control of Dynamically-Identified Variables

The product does not properly restrict reading from or writing to dynamically-identified variables.

CWE-471: Modification of Assumed-Immutable Data (MAID)

The product does not properly protect an assumed-immutable element from being modified by an attacker.

Taxonomy Mappings

  • Software Fault Patterns: SFP24 — Tainted input to command

Frequently Asked Questions

What is CWE-621?

CWE-621 (Variable Extraction Error) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the pro...

How can CWE-621 be exploited?

Attackers can exploit CWE-621 (Variable Extraction Error) to modify application data. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-621?

Key mitigations include: Use allowlists of variable names that can be extracted.

What is the severity of CWE-621?

CWE-621 is classified as a Variant-level weakness (Low-Medium abstraction). It has been observed in 5 real-world CVEs.