External Variable Modification

php.external_variable_modification

Severity

critical

Resource

Injection

Language

Php

Description

This vulnerability occurs when PHP functions parse external data and potentially overwrite local or global variables, leading to unexpected behavior and security risks.

Rationale

PHP provides functions such as parse_str() and mb_parse_str() to parse data from HTTP request messages. If these functions are used without a second argument, they can inadvertently create or overwrite variables. When the parsed string originates from untrusted sources, like $_SERVER['untrusted'], an attacker can manipulate these to overwrite variables.

This can lead to file inclusion, code execution, or cross-site scripting vulnerabilities.

Here is a vulnerable code example in PHP:

parse_str($_SERVER['QUERY_STRING']);
echo $username; // Potentially overwritten by attacker

In the example above, failing to provide a second argument allows parse_str() to overwrite local variables, which can lead to security issues if $username is later used without validation.

Remediation

To remediate this vulnerability, always use the second argument when calling parse_str() or similar functions, ensuring variables are stored in a specified array rather than potentially overwriting existing ones.

parse_str($_SERVER['QUERY_STRING'], $queryParams);
$username = $queryParams['username'] ?? 'default_user';
// Ensure proper validation and sanitization

Using the second argument ensures that external data is stored in a controlled manner, preventing unintended variable overwrites. Always validate and sanitize input data before use.

Configuration

The detector has the following configurable parameters:

sources, that indicates the source kinds to check.
neutralizations, that indicates the neutralization kinds to check.

Unless you need to change the default behavior, you typically do not need to configure this detector.

References

CWE-473