SYM_PHP_0016 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Deserialization of Untrusted Data
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description
Using PHP's extract() function directly on data from user input (like $_GET, $_POST, or $_FILES) can let attackers overwrite variables in your code, leading to unexpected or unsafe behavior. To prevent this, avoid using extract() with user data, or always use the EXTR_SKIP flag to prevent existing variables from being overwritten.
Impact
If exploited, an attacker could inject or overwrite variables in your application, potentially bypassing security checks, altering program logic, or gaining unauthorized access to sensitive operations. This can lead to security breaches, data manipulation, or even full system compromise.