CWE-454: External Initialization of Trusted Variables or Data Stores

Description

The product initializes critical internal variables or data stores using inputs that can be modified by untrusted actors.

Extended Description

A product system should be reluctant to trust variables that have been initialized outside of its trust boundary, especially if they are initialized by users. The variables may have been initialized incorrectly. If an attacker can initialize the variable, then they can influence what the vulnerable system will do.

ThreatScore

Threat Mapped score: 0.0

Industry: Finiancial

Threat priority: Unclassified

Observed Examples (CVEs)

CVE: CVE-2022-43468

WordPress module sets internal variables based on external inputs, allowing false reporting of the number of views
CVE: CVE-2000-0959

Does not clear dangerous environment variables, enabling symlink attack.
CVE: CVE-2001-0033

Specify alternate configuration directory in environment variable, enabling untrusted path.
CVE: CVE-2001-0872

Dangerous environment variable not cleansed.
CVE: CVE-2001-0084

Specify arbitrary modules using environment variable.

Related Attack Patterns (CAPEC)

N/A

Attack TTPs

N/A

Modes of Introduction

Phase	Note
Architecture and Design	N/A
Implementation	N/A

Common Consequences

Impact: Modify Application Data — Notes: An attacker could gain access to and modify sensitive data or system information.

Potential Mitigations

Implementation: A product system should be reluctant to trust variables that have been initialized outside of its trust boundary. Ensure adequate checking (e.g. input validation) is performed when relying on input from outside a trust boundary. (N/A)
Architecture and Design: Avoid any external control of variables. If necessary, restrict the variables that can be modified using an allowlist, and use a different namespace or naming convention if possible. (N/A)

Applicable Platforms

PHP (N/A, Sometimes)
None (Not Language-Specific, Undetermined)

Demonstrative Examples

Intro: In the Java example below, a system property controls the debug level of the application.

Body: If an attacker is able to modify the system property, then it may be possible to coax the application into divulging sensitive information by virtue of the fact that additional debug information is printed/exposed as the debug level increases.

int debugLevel = Integer.getInteger("com.domain.application.debugLevel").intValue();

Intro: This code checks the HTTP POST request for a debug switch, and enables a debug mode if the switch is set.

Body: Any user can activate the debug mode, gaining administrator privileges. An attacker may also use the information printed by the phpinfo() function to further exploit the system. .

$debugEnabled = false; if ($_POST["debug"] == "true"){ $debugEnabled = true; } /.../ function login($username, $password){ if($debugEnabled){ echo 'Debug Activated'; phpinfo(); $isAdmin = True; return True; } }

Notes

Relationship: Overlaps Missing variable initialization, especially in PHP.
Applicable Platform: This is often found in PHP due to register_globals and the common practice of storing library/include files under the web document root so that they are available using a direct request.

← Back to CWE list