Maxim Dsouza Maxim Dsouza - 10 months ago 67
PHP Question

Session Check bypassed vulnerability

We have a php page which is the admin section of the website. It is used to perform some update actions on the database. The code looks like follows

if (!isset($_SESSION['somevariable']) )

$sql = "UPDATE sometable SET somecolumn='' where someothercolumn=?";
$stmt = $con->prepare($sql);

What we have noticed is there has been some vulnerability and this piece of code seems to be running from an unknown source at a periodic interval(5 seconds), which doesnt seem like someone has the password for the admin section and is running the actions manually.

We would like to know can a hacker bypass this login check and execute the rest of the code without having the password? Any insights into the vulnerability in the above piece of code will be helpful. Thanks in advance

Answer Source

I saw two vulnerabilities:

1) CSRF (using variable directly from get method )

2) Exit not used after calling header function

Correct code should be like this:

header("Location:"); /* Redirect browser */

/* Make sure that code below does not get executed when we redirect. */

See document Link