SYM_PHP_0037 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description
The code creates a new object using a class name that comes directly from user input, such as GET, POST, COOKIE, REQUEST, or SERVER variables. This allows attackers to control which class is instantiated, leading to unsafe behavior.
Impact
An attacker could instantiate arbitrary classes within your application, potentially triggering dangerous code paths or bypassing security controls. In the worst case, this could result in remote code execution or full compromise of the system.