Corgea LogoCorgea Security Hub

CWE-473: PHP External Variable Modification

Learn about CWE-473 (PHP External Variable Modification), its security impact, exploitation methods, and prevention guidelines.

What is PHP External Variable Modification?

• Overview: PHP External Variable Modification is a vulnerability where a PHP application allows variables to be altered by external inputs such as query parameters or cookies, potentially leading to unintended behavior and security weaknesses.

• Exploitation Methods:

  • Attackers can manipulate input fields like GET or POST variables to alter application logic or data.
  • Common attack patterns include modifying control flows, bypassing authentication, or altering data integrity.

• Security Impact:

  • Direct consequences include unauthorized access, data tampering, or execution of unintended code paths.
  • Potential cascading effects could lead to data breaches, privilege escalation, or system compromise.
  • Business impact might involve loss of sensitive data, reputational damage, or financial loss due to exploited weaknesses.

• Prevention Guidelines:

  • Specific code-level fixes include validating and sanitizing all external inputs and using built-in PHP functions to filter input data.
  • Security best practices involve implementing strict input validation, using whitelisting over blacklisting, and avoiding the use of variable variables.
  • Recommended tools and frameworks include using PHP frameworks with built-in security features like Laravel or Symfony, and employing security libraries for input validation.
Corgea can automatically detect and fix PHP External Variable Modification in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: Not specified

Affected Languages: PHP

Affected Technologies: Not specified

Vulnerable Code Example

// This PHP code is vulnerable to External Variable Modification.
// The application allows external input to directly modify a configuration variable.

<?php
// Default configuration for the application
\$admin_email = 'admin@example.com';

// Vulnerable: Directly using GET parameter to modify application variables
if (isset(\$_GET['admin_email'])) {
    \$admin_email = \$_GET['admin_email']; // Potentially dangerous modification
}

echo "Admin email is: " . htmlspecialchars(\$admin_email);
?>

Explanation

  • Direct Modification: The \$admin_email variable is directly modified based on user input without any validation or sanitization. This can lead to unauthorized changes and potential security issues.

How to fix PHP External Variable Modification?

To fix this vulnerability, it is crucial to avoid directly using external input to modify sensitive variables or configurations in your application. Here are the steps to secure this code:

  1. Validation and Sanitization: Always validate and sanitize any external input before using it. Ensure that the input conforms to the expected format and constraints.

  2. Immutable Configuration: Keep sensitive configurations immutable once set. Use environment variables or configuration files that are not modifiable at runtime based on external inputs.

  3. Adopt a Whitelist Approach: If you must allow modification of certain settings, use a whitelist approach where only specific, safe modifications are permitted.

By implementing these practices, you protect your application from unauthorized modifications and potential exploits.

Fixed Code Example

// Fixed code with proper validation and security controls to prevent external variable modification.

<?php
// Default configuration for the application, set immutably
\$admin_email = 'admin@example.com';

// Validate and sanitize the external input before usage
if (isset(\$_GET['admin_email'])) {
    \$input_email = filter_var(\$_GET['admin_email'], FILTER_VALIDATE_EMAIL); // Validate email format

    // Only allow modification if the email is valid and from a safe domain
    if (\$input_email && is_safe_domain(\$input_email)) {
        \$admin_email = \$input_email; // Only assign if validation passes
    }
}

// Function to check if the email domain is allowed
function is_safe_domain(\$email) {
    \$allowed_domains = ['example.com', 'example.org']; // Whitelist of allowed domains
    \$domain = substr(strrchr(\$email, "@"), 1);
    return in_array(\$domain, \$allowed_domains);
}

echo "Admin email is: " . htmlspecialchars(\$admin_email);
?>

Improvements

  • Email Validation: The filter_var function is used with FILTER_VALIDATE_EMAIL to ensure that the email is valid.
  • Domain Whitelist: A custom function is_safe_domain ensures that only emails from approved domains can modify the \$admin_email.
  • Immutable Defaults: The default admin email is set in the code and not overridden unless the input passes all checks.

This improved example demonstrates how to securely handle external input by validating and sanitizing it, ensuring that sensitive configuration variables remain protected from unauthorized changes.

Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-473: PHP External Variable Modification and get remediation guidance

Start for free and no credit card needed.