CWE-473: PHP External Variable Modification
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
A PHP application does not properly protect against the modification of variables from external sources, such as query parameters or cookies. This can expose the application to numerous weaknesses that would not exist otherwise.
常见后果
影响范围: Integrity
技术影响: Modify Application Data
潜在缓解措施
阶段: Requirements Implementation
描述: Carefully identify which variables can be controlled or influenced by an external user, and consider adopting a naming convention to emphasize when externally modifiable variables are being used. An application should be reluctant to trust variables that have been initialized outside of its trust boundary. Ensure adequate checking is performed when relying on input from outside a trust boundary. Do not allow your application to run with register_globals enabled. If you implement a register_globals emulator, be extremely careful of variable extraction, dynamic evaluation, and similar issues, since weaknesses in your emulation could allow external variable modification to take place even without register_globals.
观察示例
参考: CVE-2000-0860
File upload allows arbitrary file read by setting hidden form variables to match internal variable names.
参考: CVE-2001-0854
Mistakenly trusts $PHP_SELF variable to determine if include script was called by its parent.
参考: CVE-2002-0764
PHP remote file inclusion by modified assumed-immutable variable.
参考: CVE-2001-1025
Modify key variable when calling scripts that don't load a library that initializes it.
参考: CVE-2003-0754
Authentication bypass by modifying array used for authentication.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | REALIZATION: This weakness is caused during implementation of an architectural security tactic. |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | PHP External Variable Modification | - |