{"@ID": "627", "@Name": "Dynamic Variable Evaluation", "@Abstraction": "Variant", "@Structure": "Simple", "@Status": "Incomplete", "Description": "In a language where the user can influence the name of a variable at runtime, if the variable names are not controlled, an attacker can read or write to arbitrary variables, or access arbitrary functions.", "Extended_Description": "The resultant vulnerabilities depend on the behavior of the application, both at the crossover point and in any control/data flow that is reachable by the related variables or functions.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "914", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "PeerOf", "@CWE_ID": "183", "@View_ID": "1000"}]}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Primary"}}, "Applicable_Platforms": {"Language": [{"@Name": "PHP", "@Prevalence": "Undetermined"}, {"@Name": "Perl", "@Prevalence": "Undetermined"}]}, "Background_Details": {"Background_Detail": "Many interpreted languages support the use of a \"$$varname\" construct to set a variable whose name is specified by the $varname variable. In PHP, these are referred to as \"variable variables.\" Functions might also be invoked using similar syntax, such as $$funcname(arg1, arg2)."}, "Alternate_Terms": {"Alternate_Term": {"Term": "Dynamic evaluation"}}, "Modes_Of_Introduction": {"Introduction": {"Phase": "Implementation"}}, "Common_Consequences": {"Consequence": {"Scope": ["Confidentiality", "Integrity", "Availability"], "Impact": ["Modify Application Data", "Execute Unauthorized Code or Commands"], "Note": "An attacker could gain unauthorized access to internal program variables and execute arbitrary code."}}, "Potential_Mitigations": {"Mitigation": [{"Phase": "Implementation", "Strategy": "Refactoring", "Description": "Refactor the code to avoid dynamic variable evaluation whenever possible."}, {"Phase": "Implementation", "Strategy": "Input Validation", "Description": "Use only allowlists of acceptable variable or function names."}, {"Phase": "Implementation", "Description": "For function names, ensure that you are only calling functions that accept the proper number of arguments, to avoid unexpected null arguments."}]}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-2009-0422", "Description": "Chain: Dynamic variable evaluation allows resultant remote file inclusion and path traversal.", "Link": "https://www.cve.org/CVERecord?id=CVE-2009-0422"}, {"Reference": "CVE-2007-2431", "Description": "Chain: dynamic variable evaluation in PHP program used to modify critical, unexpected $_SERVER variable for resultant XSS.", "Link": "https://www.cve.org/CVERecord?id=CVE-2007-2431"}, {"Reference": "CVE-2006-4904", "Description": "Chain: dynamic variable evaluation in PHP program used to conduct remote file inclusion.", "Link": "https://www.cve.org/CVERecord?id=CVE-2006-4904"}, {"Reference": "CVE-2006-4019", "Description": "Dynamic variable evaluation in mail program allows reading and modifying attachments and preferences of other users.", "Link": "https://www.cve.org/CVERecord?id=CVE-2006-4019"}]}, "References": {"Reference": [{"@External_Reference_ID": "REF-517"}, {"@External_Reference_ID": "REF-518"}]}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Notes": {"Note": {"@Type": "Research Gap", "#text": "Under-studied, probably under-reported. Few researchers look for this issue; most public reports are for PHP, although other languages are affected. This issue is likely to grow in PHP as developers begin to implement functionality in place of register_globals."}}, "Content_History": {"Submission": {"Submission_Name": "CWE Content Team", "Submission_Organization": "MITRE", "Submission_Date": "2007-05-07", "Submission_Version": "Draft 6", "Submission_ReleaseDate": "2007-05-07"}, "Modification": [{"Modification_Name": "Eric Dalci", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Applicable_Platforms, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-10-14", "Modification_Version": "1.0.1", "Modification_ReleaseDate": "2008-10-14", "Modification_Comment": "updated Background_Details, Description"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-03-29", "Modification_Version": "1.12", "Modification_ReleaseDate": "2011-03-30", "Modification_Comment": "updated Description"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated Common_Consequences, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-10-30", "Modification_Version": "2.3", "Modification_ReleaseDate": "2012-10-30", "Modification_Comment": "updated Potential_Mitigations"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2013-02-21", "Modification_Version": "2.4", "Modification_ReleaseDate": "2013-02-21", "Modification_Comment": "updated Common_Consequences, Observed_Examples, Potential_Mitigations, Relationships, Weakness_Ordinalities"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated References"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-06-25", "Modification_Version": "4.1", "Modification_ReleaseDate": "2020-06-25", "Modification_Comment": "updated Potential_Mitigations"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated References, Relationships, Type"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}]}}
