doulifang5554 2014-09-23 08:39
浏览 11
已采纳

会话检查绕过了漏洞

We have a php page which is the admin section of the website. It is used to perform some update actions on the database. The code looks like follows

session_start(); 
     if (!isset($_SESSION['somevariable']) ) 
        {
        header("Location:loginpage.php");
        }



    $id=$_GET['somevariable];
$sql = "UPDATE sometable SET somecolumn='' where someothercolumn=?";
$stmt = $con->prepare($sql);
$stmt->bind_param('s',$id);
$stmt->execute();

What we have noticed is there has been some vulnerability and this piece of code seems to be running from an unknown source at a periodic interval(5 seconds), which doesnt seem like someone has the password for the admin section and is running the actions manually.

We would like to know can a hacker bypass this login check and execute the rest of the code without having the password? Any insights into the vulnerability in the above piece of code will be helpful. Thanks in advance

  • 写回答

2条回答 默认 最新

  • dongxunhua2054 2014-09-23 08:50
    关注

    I saw two vulnerabilities:

    1) CSRF (using variable directly from get method )

    2) Exit not used after calling header function

    Correct code should be like this:

    <?php
header("Location: http://www.example.com/"); /* Redirect browser */

/* Make sure that code below does not get executed when we redirect. */
exit;
?>

    See php.net document Link

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 安卓adb backup备份应用数据失败
  • ¥15 eclipse运行项目时遇到的问题
  • ¥15 关于#c##的问题:最近需要用CAT工具Trados进行一些开发
  • ¥15 南大pa1 小游戏没有界面,并且报了如下错误,尝试过换显卡驱动,但是好像不行
  • ¥15 没有证书,nginx怎么反向代理到只能接受https的公网网站
  • ¥50 成都蓉城足球俱乐部小程序抢票
  • ¥15 yolov7训练自己的数据集
  • ¥15 esp8266与51单片机连接问题(标签-单片机|关键词-串口)(相关搜索:51单片机|单片机|测试代码)
  • ¥15 电力市场出清matlab yalmip kkt 双层优化问题
  • ¥30 ros小车路径规划实现不了,如何解决?(操作系统-ubuntu)