CWE-914: Improper Control of Dynamically-Identified Variables

Description

The product does not properly restrict reading from or writing to dynamically-identified variables.

Many languages offer powerful features that allow the programmer to access arbitrary variables that are specified by an input string. While these features can offer significant flexibility and reduce development time, they can be extremely dangerous if attackers can modify unintended variables that have security implications.

Potential Impact

Integrity

Modify Application Data

Integrity

Execute Unauthorized Code or Commands

Other, Integrity

Varies by Context, Alter Execution Logic

Demonstrative Examples

This code uses the credentials sent in a POST request to login a user.

Bad

//Log user in, and set $isAdmin to true if user is an administrator
                     
                     function login($user,$pass){$query = buildQuery($user,$pass);mysql_query($query);if(getUserRole($user) == "Admin"){$isAdmin = true;}}
                     $isAdmin = false;extract($_POST);login(mysql_real_escape_string($user),mysql_real_escape_string($pass));

The call to extract() will overwrite the existing values of any variables defined previously, in this case $isAdmin. An attacker can send a POST request with an unexpected third value "isAdmin" equal to "true", thus gaining Admin privileges.

Mitigations & Prevention

Implementation

For any externally-influenced input, check the input against an allowlist of internal program variables that are allowed to be modified.

ImplementationArchitecture and Design

Refactor the code so that internal program variables do not need to be dynamically identified.

Real-World CVE Examples

CVE ID	Description
CVE-2006-7135	extract issue enables file inclusion
CVE-2006-7079	Chain: extract used for register_globals compatibility layer, enables path traversal (CWE-22)
CVE-2007-0649	extract() buried in include files makes post-disclosure analysis confusing; original report had seemed incorrect.
CVE-2006-6661	extract() enables static code injection
CVE-2006-2828	import_request_variables() buried in include files makes post-disclosure analysis confusing
CVE-2009-0422	Chain: Dynamic variable evaluation allows resultant remote file inclusion and path traversal.
CVE-2007-2431	Chain: dynamic variable evaluation in PHP program used to modify critical, unexpected $_SERVER variable for resultant XSS.
CVE-2006-4904	Chain: dynamic variable evaluation in PHP program used to conduct remote file inclusion.
CVE-2006-4019	Dynamic variable evaluation in mail program allows reading and modifying attachments and preferences of other users.

Frequently Asked Questions

What is CWE-914?

CWE-914 (Improper Control of Dynamically-Identified Variables) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product does not properly restrict reading from or writing to dynamically-identified variables.

How can CWE-914 be exploited?

Attackers can exploit CWE-914 (Improper Control of Dynamically-Identified Variables) to modify application data. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-914?

Key mitigations include: For any externally-influenced input, check the input against an allowlist of internal program variables that are allowed to be modified.

What is the severity of CWE-914?

CWE-914 is classified as a Base-level weakness (Medium abstraction). It has been observed in 9 real-world CVEs.

Description

Potential Impact

Integrity

Integrity

Other, Integrity

Demonstrative Examples

Mitigations & Prevention

Real-World CVE Examples

Related Weaknesses

CWE-99: Improper Control of Resource Identifiers ('Resource Injection')

CWE-913: Improper Control of Dynamically-Managed Code Resources

Frequently Asked Questions