Corgea LogoCorgea Security Hub

CWE-627: Dynamic Variable Evaluation

Learn about CWE-627 (Dynamic Variable Evaluation), its security impact, exploitation methods, and prevention guidelines.

What is Dynamic Variable Evaluation?

• Overview: Dynamic Variable Evaluation (CWE-627) is a vulnerability in which the names of variables can be influenced by user input at runtime. This can allow attackers to manipulate the program's execution by accessing or modifying variables and functions that were not intended to be exposed.

• Exploitation Methods:

  • Attackers can exploit this vulnerability by injecting malicious input that determines the name of the variables.
  • Common attack patterns include manipulating variable names to access sensitive data or execute unintended code paths.

• Security Impact:

  • Direct consequences include unauthorized access to variables or functions, potentially leading to data breaches or system compromise.
  • Potential cascading effects might include unauthorized changes in application logic, privilege escalation, or denial of service.
  • Business impact could involve loss of sensitive data, damage to reputation, and financial losses due to system downtime or data theft.

• Prevention Guidelines:

  • Specific code-level fixes include avoiding the use of dynamic variable names derived from user input. Validate and sanitize all inputs rigorously.
  • Security best practices involve using static variable names and employing strict input validation and output encoding techniques.
  • Recommended tools and frameworks include static analysis tools to detect dynamic variable evaluation risks, and using frameworks that enforce strict variable naming conventions.
Corgea can automatically detect and fix Dynamic Variable Evaluation in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: Not specified

Affected Languages: PHP, Perl

Affected Technologies: Not specified

Many interpreted languages support the use of a "$$varname" construct to set a variable whose name is specified by the $varname variable. In PHP, these are referred to as "variable variables." Functions might also be invoked using similar syntax, such as $$funcname(arg1, arg2).

Vulnerable Code Example

PHP Example

<?php
// This PHP script demonstrates a Dynamic Variable Evaluation vulnerability.
// User input is used to create a variable name dynamically, which can be exploited.

\$defaultValue = "default";

// User input is taken from a GET request and used to set a variable name
\$varName = \$_GET['varName']; // User-controlled input
\$\$varName = "Sensitive Data"; // Dynamic variable creation

echo \$\$varName; // Output the content of the dynamically created variable
?>

In this vulnerable example, the script uses user input to dynamically create variable names. This allows an attacker to manipulate the variable name to access or modify unintended data, leading to potential security risks.

How to fix Dynamic Variable Evaluation?

Dynamic Variable Evaluation is a vulnerability where variable names are determined based on user input, allowing attackers to manipulate variable names to access or modify unintended data. To fix this vulnerability, avoid using dynamic variable names derived from user input. Instead, use associative arrays to store related data, which allows for controlled access and prevents arbitrary variable manipulation.

Best Practices:

  1. Use Associative Arrays: Store data in arrays and access it using sanitized keys.
  2. Sanitize User Input: Ensure that any user input used to access or modify data is properly sanitized and validated.
  3. Limit Variable Scope: Keep the scope of variables limited and check if the key exists in the array before accessing it.

Fixed Code Example

<?php
// The code has been refactored to eliminate dynamic variable evaluation.
// An associative array is used to store data safely, and user input is sanitized.

\$defaultValue = "default";

// Initialize an associative array to hold potential data
\$dataStore = array(
    'allowedKey' => "Sensitive Data",
    'anotherKey' => "More Data"
);

// Safely access data in the array using a sanitized key from user input
\$varName = filter_input(INPUT_GET, 'varName', FILTER_SANITIZE_STRING); // Sanitize user input
if (isset(\$dataStore[\$varName])) { // Check if the key exists in the array
    echo \$dataStore[\$varName]; // Safely output the data
} else {
    echo \$defaultValue; // Fallback to a default value if the key is not allowed
}
?>

In the fixed example, we replaced dynamic variable creation with an associative array (\$dataStore). User input is sanitized using filter_input() with FILTER_SANITIZE_STRING to prevent malicious input. We then check if the requested key exists in the array using isset(), ensuring that only predefined keys can be accessed, thus mitigating the risk of unauthorized data access or modification.

Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-627: Dynamic Variable Evaluation and get remediation guidance

Start for free and no credit card needed.