Incomplete Identification of Uploaded File Variables (PHP)
The PHP application uses an old method for processing uploaded files by referencing the four global variables that are set for each file (e.g. $varname, $varname_size, $varname_name, $varname_type). These variables could be overwritten by attackers, causing the application to process unauthorized files.
These global variables could be overwritten by POST requests, cookies, or other methods of populating or overwriting these variables. This could be used to read or process arbitrary files by providing values such as "/etc/passwd".
The following examples help to illustrate the nature of this weakness and describe methods or techniques which can be used to mitigate the risk.
Note that the examples here are by no means exhaustive and any given weakness may have many subtle varieties, each of which may require different detection methods or runtime controls.
As of 2006, the "four globals" method is probably in sharp decline, but older PHP applications could have this issue.
In the "four globals" method, PHP sets the following 4 global variables (where "varname" is application-dependent):
"The global $_FILES exists as of PHP 4.1.0 (Use $HTTP_POST_FILES instead if using an earlier version). These arrays will contain all the uploaded file information."
** note: 'userfile' is the field name from the web form; this can vary.
Weaknesses in this category are related to insufficient verification of data authenticity.
This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Variable cluster (SFP25).
This view (slice) covers all the elements in CWE.
This view (slice) lists weaknesses that can be introduced during implementation.
This view (slice) covers issues that are found in PHP programs that are not common to all languages.