CWE-621
Variable Extraction Error
Description
The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the program to overwrite unintended variables.
{"xhtml:p":["For example, in PHP, extraction can be used to provide functionality similar to register_globals, a dangerous functionality that is frequently disabled in production systems. Calling extract() or import_request_variables() without the proper arguments could allow arbitrary global variables to be overwritten, including superglobals.","Similar functionality is possible in other interpreted languages, including custom languages."]}
Parent Weaknesses (ChildOf)
Related Weaknesses
Common Consequences
Scope
Impact
Modify Application Data
Potential Mitigations
Use allowlists of variable names that can be extracted.
Consider refactoring your code to avoid extraction routines altogether.
In PHP, call extract() with options such as EXTR_SKIP and EXTR_PREFIX_ALL; call import_request_variables() with a prefix argument. Note that these capabilities are not present in all PHP versions.
CVE-2006-7135extract issue enables file inclusion
CVE-2006-7079Chain: PHP app uses extract for register_globals compatibility layer (CWE-621), enabling path traversal (CWE-22)
CVE-2007-0649extract() buried in include files makes post-disclosure analysis confusing; original report had seemed incorrect.
CVE-2006-6661extract() enables static code injection
CVE-2006-2828import_request_variables() buried in include files makes post-disclosure analysis confusing
Applicable Platforms
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now