doulifang5554 2014-09-23 08:39
浏览 11
已采纳

会话检查绕过了漏洞

We have a php page which is the admin section of the website. It is used to perform some update actions on the database. The code looks like follows

session_start(); 
     if (!isset($_SESSION['somevariable']) ) 
        {
        header("Location:loginpage.php");
        }



    $id=$_GET['somevariable];
$sql = "UPDATE sometable SET somecolumn='' where someothercolumn=?";
$stmt = $con->prepare($sql);
$stmt->bind_param('s',$id);
$stmt->execute();

What we have noticed is there has been some vulnerability and this piece of code seems to be running from an unknown source at a periodic interval(5 seconds), which doesnt seem like someone has the password for the admin section and is running the actions manually.

We would like to know can a hacker bypass this login check and execute the rest of the code without having the password? Any insights into the vulnerability in the above piece of code will be helpful. Thanks in advance

  • 写回答

2条回答 默认 最新

  • dongxunhua2054 2014-09-23 08:50
    关注

    I saw two vulnerabilities:

    1) CSRF (using variable directly from get method )

    2) Exit not used after calling header function

    Correct code should be like this:

    <?php
header("Location: http://www.example.com/"); /* Redirect browser */

/* Make sure that code below does not get executed when we redirect. */
exit;
?>

    See php.net document Link

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 关于#matlab#的问题:期望的系统闭环传递函数为G(s)=wn^2/s^2+2¢wn+wn^2阻尼系数¢=0.707,使系统具有较小的超调量
  • ¥15 FLUENT如何实现在堆积颗粒的上表面加载高斯热源
  • ¥30 截图中的mathematics程序转换成matlab
  • ¥15 动力学代码报错,维度不匹配
  • ¥15 Power query添加列问题
  • ¥50 Kubernetes&Fission&Eleasticsearch
  • ¥15 報錯:Person is not mapped,如何解決?
  • ¥15 c++头文件不能识别CDialog
  • ¥15 Excel发现不可读取的内容
  • ¥15 关于#stm32#的问题:CANOpen的PDO同步传输问题