CWE-616: Incomplete Identification of Uploaded File Variables (PHP)

VariantIncomplete

The PHP application uses an old method for processing uploaded files by referencing the four global variables that are set for each file (e.g. $varname, $varname_size, $varname_name, $varname_type). These variables could be overwritten by attackers, causing the application to process unauthorized files.

View on MITRE

Back to CWE Lookup

Extended Description

These global variables could be overwritten by POST requests, cookies, or other methods of populating or overwriting these variables. This could be used to read or process arbitrary files by providing values such as "/etc/passwd".

Technical Details

Structure: Simple

Applicable To

Languages

PHP

Platforms

Learn More

Find Related CVEs

Search for vulnerabilities that exploit CWE-616

CVE vs CWE: What's the Difference?

Understanding vulnerabilities vs weaknesses

Understanding CVSS Scoring

How vulnerability severity is measured

View Full MITRE Entry

Complete technical details and references