CWE-453 不安全的缺省变量初始化

Insecure Default Variable Initialization

结构: Simple

Abstraction: Variant

状态: Draft

被利用可能性: unkown

基本描述

The software, by default, initializes an internal variable with an insecure or less secure value than is possible.

适用平台

Language: [{'cwe_Name': 'PHP', 'cwe_Prevalence': 'Sometimes'}, {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}]

常见的影响

范围	影响	注释
Integrity	Modify Application Data	An attacker could gain access to and modify sensitive data or system information.

可能的缓解方案

System Configuration

策略:

Disable or change default settings when they can be used to abuse the system. Since those default settings are shipped with the product they are likely to be known by a potential attacker who is familiar with the product. For instance, default credentials should be changed or the associated accounts should be disabled.

示例代码

例

This code attempts to login a user using credentials from a POST request:

bad PHP

// $user and $pass automatically set from POST request
if (login_user($user,$pass)) {

$authorized = true;

}
...

if ($authorized) {

generatePage();

}

Because the $authorized variable is never initialized, PHP will automatically set $authorized to any value included in the POST request if register_globals is enabled. An attacker can send a POST request with an unexpected third value 'authorized' set to 'true' and gain authorized status without supplying valid credentials.

Here is a fixed version:

bad PHP

$user = $_POST['user'];
$pass = $_POST['pass'];
$authorized = false;
if (login_user($user,$pass)) {

$authorized = true;

}
...

This code avoids the issue by initializing the $authorized variable to false and explicitly retrieving the login credentials from the $_POST variable. Regardless, register_globals should never be enabled and is disabled by default in current versions of PHP.

Notes

分类映射

映射的分类名	ImNode ID	Fit	Mapped Node Name
PLOVER			Insecure default variable initialization

VULHUB ™