CWE-616: Incomplete Identification of Uploaded File Variables (PHP)
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The PHP application uses an old method for processing uploaded files by referencing the four global variables that are set for each file (e.g. $varname, $varname_size, $varname_name, $varname_type). These variables could be overwritten by attackers, causing the application to process unauthorized files.
扩展描述
These global variables could be overwritten by POST requests, cookies, or other methods of populating or overwriting these variables. This could be used to read or process arbitrary files by providing values such as "/etc/passwd".
常见后果
影响范围: Confidentiality Integrity
技术影响: Read Files or Directories Modify Files or Directories
潜在缓解措施
阶段: Architecture and Design
描述: Use PHP 4 or later.
阶段: Architecture and Design
描述: If you must support older PHP versions, write your own version of is_uploaded_file() and run it against $HTTP_POST_FILES['userfile']))
阶段: Implementation
描述: For later PHP versions, reference uploaded files using the $HTTP_POST_FILES or $_FILES variables, and use is_uploaded_file() or move_uploaded_file() to ensure that you are dealing with an uploaded file.
观察示例
参考: CVE-2002-1460
Forum does not properly verify whether a file was uploaded or if the associated variables were set by POST, allowing remote attackers to read arbitrary files.
参考: CVE-2002-1759
Product doesn't check if the variables for an upload were set by uploading the file, or other methods such as $_POST.
参考: CVE-2002-1710
Product does not distinguish uploaded file from other files.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | Incomplete Identification of Uploaded File Variables (PHP) | - |
| Software Fault Patterns | SFP25 | Tainted input to variable | - |